CVE-2019-12795

CVE-2019-12795

Name

CVE-2019-12795

Description

daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.)

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Patch	https://gitlab.gnome.org/GNOME/gvfs/commit/e3808a1b4042761055b1d975333a8243d67b8bfe
Patch	https://gitlab.gnome.org/GNOME/gvfs/commit/d8c9138bf240975848b1c54db648ec4cd516a48f
Patch	https://gitlab.gnome.org/GNOME/gvfs/commit/70dbfc68a79faac49bd3423e079cb6902522082a
BID	http://www.securityfocus.com/bid/108741
MLIST	https://lists.debian.org/debian-lts-announce/2019/06/msg00014.html
SUSE	http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00008.html
SUSE	http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00009.html
UBUNTU	https://usn.ubuntu.com/4053-1/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2DQVOL5H5BVLXYCEB763DCIYJQ7ZUQ2/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FP6BFQUPQRVRRFIYHFWWB6RHJNEB4LGQ/
REDHAT	https://access.redhat.com/errata/RHSA-2019:3553

Type

URI

Patch

https://gitlab.gnome.org/GNOME/gvfs/commit/e3808a1b4042761055b1d975333a8243d67b8bfe

Patch

https://gitlab.gnome.org/GNOME/gvfs/commit/d8c9138bf240975848b1c54db648ec4cd516a48f

Patch

https://gitlab.gnome.org/GNOME/gvfs/commit/70dbfc68a79faac49bd3423e079cb6902522082a

BID

http://www.securityfocus.com/bid/108741

MLIST

https://lists.debian.org/debian-lts-announce/2019/06/msg00014.html

SUSE

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00008.html

SUSE

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00009.html

UBUNTU

https://usn.ubuntu.com/4053-1/

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2DQVOL5H5BVLXYCEB763DCIYJQ7ZUQ2/

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FP6BFQUPQRVRRFIYHFWWB6RHJNEB4LGQ/

REDHAT

https://access.redhat.com/errata/RHSA-2019:3553

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:gnome:gvfs::::::::`	gvfs	>= 1.41.0	< 1.41.3
`cpe:2.3:a:gnome:gvfs::::::::`	gvfs	>= 1.40.0	< 1.40.2
`cpe:2.3:a:gnome:gvfs::::::::`	gvfs	>= None	< 1.38.3

CPE URI

Source package

Min version

Max version

cpe:2.3:a:gnome:gvfs:*:*:*:*:*:*:*:*

gvfs

>= 1.41.0

< 1.41.3

cpe:2.3:a:gnome:gvfs:*:*:*:*:*:*:*:*

gvfs

>= 1.40.0

< 1.40.2

cpe:2.3:a:gnome:gvfs:*:*:*:*:*:*:*:*

gvfs

>= None

< 1.38.3

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
gvfs	edge-community	1.40.2-r0	None	fixed
gvfs	3.22-community	1.40.2-r0	None	fixed
gvfs	3.21-community	1.40.2-r0	None	fixed
gvfs	3.20-community	1.40.2-r0	None	fixed
gvfs	3.19-community	1.40.2-r0	None	fixed
gvfs	3.18-community	1.40.2-r0	None	fixed
gvfs	3.17-community	1.40.2-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

gvfs

edge-community

1.40.2-r0

None

fixed

gvfs

3.22-community