| Package | gvfs |
|---|---|
| Version | 1.30.4-1+deb9u1 (stretch) |
| Related CVEs | CVE-2019-3827 CVE-2019-12447 CVE-2019-12448 CVE-2019-12449 CVE-2019-12795 CVE-2026-28295 CVE-2026-28296 |
Multiple vulnerabilities have been identified in gvfs, the GNOME virtual filesystem layer responsible for providing user-space access to local and remote filesystems via various backends (e.g. ftp://, admin://, etc.)
Codean Labs found that gvfs ftp:// backend had vulnerabilities including ftp bounce attack that could expose which ports where open on the clients internal network and improper CRLF validation which could allow an attacker to inject arbitrary FTP commands.
The admin:// backend was found to have multiple issues including incorrect
permission check that allows reading and modify arbitrary files by privileged
users without asking for password when no authentication agent is running,
mishandles file ownership because setfsuid is not used, race conditions because
the admin backend doesn’t implement query_info_on_read/write, mishandles a
file’s user and group ownership during move and copy operations from admin://
to file:// URIs because root privileges are unavailable.
The gvfs daemon opened a private D-Bus server socket without configuring an authorization rule. This could allow a local attacker to connect and issue D-Bus method calls.
For Debian 9 stretch, these problems have been fixed in version 1.30.4-1+deb9u1.
We recommend that you upgrade your gvfs packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.