Debian Package Tracker

general

source: gvfs (main)
version: 1.38.1-5
maintainer: Debian GNOME Maintainers (archive) (DMD)
uploaders: Michael Biebl [DMD] – Jeremy Bicha [DMD] – Iain Lane [DMD]
arch: all any
std-ver: 4.3.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.22.2-1
o-o-sec: 1.22.2-1+deb8u1
oldstable: 1.30.4-1
stable: 1.38.1-5
testing: 1.38.1-5
unstable: 1.38.1-5
exp: 1.41.91-1

versioned links

1.22.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.22.2-1+deb8u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.30.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.38.1-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.41.91-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

gvfs (32 bugs: 0, 31, 1, 0)
gvfs-backends (38 bugs: 0, 34, 4, 0)
gvfs-bin (6 bugs: 0, 5, 1, 0)
gvfs-common (3 bugs: 0, 1, 2, 0)
gvfs-daemons (4 bugs: 0, 3, 1, 0)
gvfs-fuse (6 bugs: 0, 6, 0, 0)
gvfs-libs

action needed

A new upstream version is available: 1.40.2 high

A new upstream version 1.40.2 is available, you should consider packaging it.

Created: 2019-03-13 Last update: 2019-08-24 20:31

5 security issues in stretch high

There are 5 open security issues in stretch.

4 important issues:

CVE-2019-12449: An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles a file's user and group ownership during move (and copy with G_FILE_COPY_ALL_METADATA) operations from admin:// to file:// URIs, because root privileges are unavailable.
CVE-2019-12795: daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.)
CVE-2019-12447: An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid is not used.
CVE-2019-12448: An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c has race conditions because the admin backend doesn't implement query_info_on_read/write.

1 issue skipped by the security teams:

CVE-2019-3827: An incorrect permission check in the admin backend in gvfs before version 1.39.4 was found that allows reading and modify arbitrary files by privileged users without asking for password when no authentication agent is running. This vulnerability can be exploited by malicious programs running under privileges of users belonging to the wheel group to further escalate its privileges by modifying system files without user's knowledge. Successful exploitation requires uncommon system configuration.

Please fix them.

Created: 2019-02-09 Last update: 2019-07-07 09:00

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2019-04-01 Last update: 2019-08-25 00:48

Depends on packages which need a new maintainer normal

The packages that gvfs depends on which need a new maintainer are:

libcdio (#881719)
- Depends: libcdio18
dh-exec (#851746)
- Build-Depends: dh-exec
libcdio-paranoia (#881910)
- Depends: libcdio-cdda2 libcdio-paranoia2
- Build-Depends: libcdio-paranoia-dev

Created: 2017-12-02 Last update: 2019-08-24 22:13

lintian reports 19 warnings normal

Lintian reports 19 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2019-07-20 Last update: 2019-08-13 04:37

Multiarch hinter reports 1 issue(s) low

There are issues with the multiarch metadata for this package.

gvfs-bin could be converted to Architecture: all and marked Multi-Arch: foreign

Created: 2019-02-11 Last update: 2019-08-23 04:08

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.4.0 instead of 4.3.0).

Created: 2019-07-08 Last update: 2019-07-08 20:08

news

[rss feed]

[2019-08-21] Accepted gvfs 1.41.91-1 (source) into experimental (Iain Lane)
[2019-06-19] Accepted gvfs 1.22.2-1+deb8u1 (source all amd64) into oldstable (Markus Koschany)
[2019-06-13] gvfs 1.38.1-5 MIGRATED to testing (Debian testing watch)
[2019-06-11] Accepted gvfs 1.40.1-3 (source) into experimental (Simon McVittie)
[2019-06-11] Accepted gvfs 1.38.1-5 (source) into unstable (Simon McVittie)
[2019-06-07] gvfs 1.38.1-4 MIGRATED to testing (Debian testing watch)
[2019-06-06] Accepted gvfs 1.40.1-2 (source) into experimental (Simon McVittie)
[2019-06-05] Accepted gvfs 1.38.1-4 (source) into unstable (Simon McVittie)
[2019-04-09] Accepted gvfs 1.40.1-1 (source) into experimental (Sebastien Bacher)
[2019-03-16] Accepted gvfs 1.40.0-1 (source) into experimental (Jeremy Bicha)
[2019-02-25] Accepted gvfs 1.39.91-1 (source) into experimental (Jeremy Bicha)
[2019-02-11] gvfs 1.38.1-3 MIGRATED to testing (Debian testing watch)
[2019-02-11] gvfs 1.38.1-3 MIGRATED to testing (Debian testing watch)
[2019-02-09] Accepted gvfs 1.38.1-3 (source) into unstable (Simon McVittie)
[2019-02-06] Accepted gvfs 1.39.90-1 (source) into experimental (Jeremy Bicha)
[2019-01-13] gvfs 1.38.1-2 MIGRATED to testing (Debian testing watch)
[2018-12-27] Accepted gvfs 1.38.1-2 (source) into unstable (Jeremy Bicha)
[2018-11-19] gvfs 1.38.1-1 MIGRATED to testing (Debian testing watch)
[2018-11-13] Accepted gvfs 1.38.1-1 (source) into unstable (Sebastien Bacher)
[2018-09-20] gvfs 1.38.0-2 MIGRATED to testing (Debian testing watch)
[2018-09-11] Accepted gvfs 1.38.0-2 (source) into unstable (Iain Lane)
[2018-09-11] Accepted gvfs 1.38.0-1 (source) into unstable (Iain Lane)
[2018-08-17] Accepted gvfs 1.37.90-1 (source) into experimental (Simon McVittie)
[2018-07-29] gvfs 1.36.2-1 MIGRATED to testing (Debian testing watch)
[2018-07-26] Accepted gvfs 1.36.2-1 (source) into unstable (Simon McVittie)
[2018-04-20] gvfs 1.36.1-1 MIGRATED to testing (Debian testing watch)
[2018-04-14] Accepted gvfs 1.36.1-1 (source) into unstable (Jeremy Bicha)
[2018-03-25] gvfs 1.36.0-1 MIGRATED to testing (Debian testing watch)
[2018-03-19] Accepted gvfs 1.36.0-1 (source amd64 all) into unstable (Iain Lane)
[2018-02-09] Accepted gvfs 1.35.90-1 (source) into experimental (Jeremy Bicha)

bugs [bug history graph]

all: 88 90
RC: 0
I&N: 79 80
M&W: 9 10
F&P: 0
patch: 2

links

homepage
lintian (0, 19)
buildd: logs, exp, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.40.1-1ubuntu1
476 bugs (7 patches)