projects / buildroot.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c5c8cec) | patch
package/gvfs: fix CVE-2019-3827
authorFabrice Fontaine <fontaine.fabrice@gmail.com>
Sun, 29 Mar 2020 16:02:42 +0000 (18:02 +0200)
committerYann E. MORIN <yann.morin.1998@free.fr>
Sun, 29 Mar 2020 16:31:40 +0000 (18:31 +0200)
commit346040e269162cebfb5f127c3e6baaa128880f6c
tree98f68220db343bef631deb420a545f01c9a9f002tree
parentc5c8cec5a5a7e9fe1c37081173ea526821f3f580commit | diff
package/gvfs: fix CVE-2019-3827

An incorrect permission check in the admin backend in gvfs before
version 1.39.4 was found that allows reading and modify arbitrary files
by privileged users without asking for password when no authentication
agent is running. This vulnerability can be exploited by malicious
programs running under privileges of users belonging to the wheel group
to further escalate its privileges by modifying system files without
user's knowledge. Successful exploitation requires uncommon system
configuration.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch [new file with mode: 0644] blob
package/gvfs/gvfs.mk diff | blob | history