Security update for gvfs SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2681-1 Final 1 1 2024-07-31T12:42:59Z current 2024-07-31T12:42:59Z 2024-07-31T12:42:59Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for gvfs This update for gvfs fixes the following issues: - CVE-2019-12795: Fixed attack via local D-Bus method calls (bsc#1137930) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-2681,SUSE-SLE-SDK-12-SP5-2024-2681,SUSE-SLE-SERVER-12-SP5-2024-2681 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242681-1/ Link for SUSE-SU-2024:2681-1 https://lists.suse.com/pipermail/sle-security-updates/2024-July/019069.html E-Mail link for SUSE-SU-2024:2681-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1137930 SUSE Bug 1137930 https://www.suse.com/security/cve/CVE-2019-12795/ SUSE CVE CVE-2019-12795 page SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 gvfs-1.28.3-18.6.1 gvfs-32bit-1.28.3-18.6.1 gvfs-64bit-1.28.3-18.6.1 gvfs-backend-afc-1.28.3-18.6.1 gvfs-backend-samba-1.28.3-18.6.1 gvfs-backends-1.28.3-18.6.1 gvfs-devel-1.28.3-18.6.1 gvfs-fuse-1.28.3-18.6.1 gvfs-lang-1.28.3-18.6.1 gvfs-1.28.3-18.6.1 as a component of SUSE Linux Enterprise Server 12 SP5 gvfs-backend-samba-1.28.3-18.6.1 as a component of SUSE Linux Enterprise Server 12 SP5 gvfs-backends-1.28.3-18.6.1 as a component of SUSE Linux Enterprise Server 12 SP5 gvfs-fuse-1.28.3-18.6.1 as a component of SUSE Linux Enterprise Server 12 SP5 gvfs-lang-1.28.3-18.6.1 as a component of SUSE Linux Enterprise Server 12 SP5 gvfs-1.28.3-18.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 gvfs-backend-samba-1.28.3-18.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 gvfs-backends-1.28.3-18.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 gvfs-fuse-1.28.3-18.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 gvfs-lang-1.28.3-18.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 gvfs-devel-1.28.3-18.6.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.) CVE-2019-12795 SUSE Linux Enterprise Server 12 SP5:gvfs-1.28.3-18.6.1 SUSE Linux Enterprise Server 12 SP5:gvfs-backend-samba-1.28.3-18.6.1 SUSE Linux Enterprise Server 12 SP5:gvfs-backends-1.28.3-18.6.1 SUSE Linux Enterprise Server 12 SP5:gvfs-fuse-1.28.3-18.6.1 SUSE Linux Enterprise Server 12 SP5:gvfs-lang-1.28.3-18.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:gvfs-1.28.3-18.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:gvfs-backend-samba-1.28.3-18.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:gvfs-backends-1.28.3-18.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:gvfs-fuse-1.28.3-18.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:gvfs-lang-1.28.3-18.6.1 SUSE Linux Enterprise Software Development Kit 12 SP5:gvfs-devel-1.28.3-18.6.1 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242681-1/ https://www.suse.com/security/cve/CVE-2019-12795.html CVE-2019-12795 https://bugzilla.suse.com/1137930 SUSE Bug 1137930 https://bugzilla.suse.com/1209876 SUSE Bug 1209876