Date: Mon, 5 Oct 2015 21:10:41 -0700 From: Seth Arnold <seth.arnold@...onical.com> To: oss-security@...ts.openwall.com Cc: security@...ntu.com Subject: CVE Request: gvfsd-dav Hello MITRE, all, Paulo Matias and Gustavo Nunes Pereira reported an issue with gvfsd-dav to the Ubuntu bugtracker: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1502912 This appears to be an independant rediscovery of an issue already known to the GNOME project: https://bugzilla.gnome.org/show_bug.cgi?id=743298 which was reported by Gabor Kelemen. The gvfsd-dav code appears to unescape some pathnames from a file server that do not need to be unescaped and crashes when the input is malformed. The upstream fix is (for master, gnome-3-14, gnome-3-12): https://git.gnome.org/browse/gvfs/commit/?id=f81ff2108ab3b6e370f20dcadd8708d23f499184 https://git.gnome.org/browse/gvfs/commit/?id=abc69427fc9985f6bc1ebe9a14d645f4805deca4 https://git.gnome.org/browse/gvfs/commit/?id=0abdd97989d5274d84017490aff3bf07a71fd672 Please assign a CVE. Thanks Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ