Security update for gvfs SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:0261-1 Final 1 1 2019-03-23T11:08:31Z current 2019-03-23T11:08:31Z 2019-03-23T11:08:31Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for gvfs This update for gvfs fixes the following issues: Security vulnerability fixed: - CVE-2019-3827: Fixed an issue whereby an unprivileged user was not prompted to give a password when acessing root owned files. (bsc#1125084) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-261 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EHTJ6QR4Z76JZTPUEXBA4LH7I54YMIFE/#EHTJ6QR4Z76JZTPUEXBA4LH7I54YMIFE E-Mail link for openSUSE-SU-2019:0261-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1125084 SUSE Bug 1125084 https://www.suse.com/security/cve/CVE-2019-3827/ SUSE CVE CVE-2019-3827 page openSUSE Leap 15.0 gvfs-1.34.2.1-lp150.3.6.1 gvfs-32bit-1.34.2.1-lp150.3.6.1 gvfs-backend-afc-1.34.2.1-lp150.3.6.1 gvfs-backend-samba-1.34.2.1-lp150.3.6.1 gvfs-backends-1.34.2.1-lp150.3.6.1 gvfs-devel-1.34.2.1-lp150.3.6.1 gvfs-fuse-1.34.2.1-lp150.3.6.1 gvfs-lang-1.34.2.1-lp150.3.6.1 gvfs-1.34.2.1-lp150.3.6.1 as a component of openSUSE Leap 15.0 gvfs-32bit-1.34.2.1-lp150.3.6.1 as a component of openSUSE Leap 15.0 gvfs-backend-afc-1.34.2.1-lp150.3.6.1 as a component of openSUSE Leap 15.0 gvfs-backend-samba-1.34.2.1-lp150.3.6.1 as a component of openSUSE Leap 15.0 gvfs-backends-1.34.2.1-lp150.3.6.1 as a component of openSUSE Leap 15.0 gvfs-devel-1.34.2.1-lp150.3.6.1 as a component of openSUSE Leap 15.0 gvfs-fuse-1.34.2.1-lp150.3.6.1 as a component of openSUSE Leap 15.0 gvfs-lang-1.34.2.1-lp150.3.6.1 as a component of openSUSE Leap 15.0 An incorrect permission check in the admin backend in gvfs before version 1.39.4 was found that allows reading and modify arbitrary files by privileged users without asking for password when no authentication agent is running. This vulnerability can be exploited by malicious programs running under privileges of users belonging to the wheel group to further escalate its privileges by modifying system files without user's knowledge. Successful exploitation requires uncommon system configuration. CVE-2019-3827 openSUSE Leap 15.0:gvfs-1.34.2.1-lp150.3.6.1 openSUSE Leap 15.0:gvfs-32bit-1.34.2.1-lp150.3.6.1 openSUSE Leap 15.0:gvfs-backend-afc-1.34.2.1-lp150.3.6.1 openSUSE Leap 15.0:gvfs-backend-samba-1.34.2.1-lp150.3.6.1 openSUSE Leap 15.0:gvfs-backends-1.34.2.1-lp150.3.6.1 openSUSE Leap 15.0:gvfs-devel-1.34.2.1-lp150.3.6.1 openSUSE Leap 15.0:gvfs-fuse-1.34.2.1-lp150.3.6.1 openSUSE Leap 15.0:gvfs-lang-1.34.2.1-lp150.3.6.1 moderate 3.3 AV:L/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EHTJ6QR4Z76JZTPUEXBA4LH7I54YMIFE/#EHTJ6QR4Z76JZTPUEXBA4LH7I54YMIFE https://www.suse.com/security/cve/CVE-2019-3827.html CVE-2019-3827 https://bugzilla.suse.com/1125084 SUSE Bug 1125084