Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 5 Oct 2015 21:10:41 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Cc: security@...ntu.com
Subject: CVE Request: gvfsd-dav

Hello MITRE, all,

Paulo Matias and Gustavo Nunes Pereira reported an issue with gvfsd-dav to
the Ubuntu bugtracker:
https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1502912

This appears to be an independant rediscovery of an issue already known to
the GNOME project: https://bugzilla.gnome.org/show_bug.cgi?id=743298
which was reported by Gabor Kelemen.

The gvfsd-dav code appears to unescape some pathnames from a file
server that do not need to be unescaped and crashes when the input is
malformed. The upstream fix is (for master, gnome-3-14, gnome-3-12):

https://git.gnome.org/browse/gvfs/commit/?id=f81ff2108ab3b6e370f20dcadd8708d23f499184
https://git.gnome.org/browse/gvfs/commit/?id=abc69427fc9985f6bc1ebe9a14d645f4805deca4
https://git.gnome.org/browse/gvfs/commit/?id=0abdd97989d5274d84017490aff3bf07a71fd672

Please assign a CVE.

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.