Date: Mon, 5 Oct 2015 21:10:41 -0700 From: Seth Arnold <seth.arnold@...onical.com> To: oss-security@...ts.openwall.com Cc: security@...ntu.com Subject: CVE Request: gvfsd-dav Hello MITRE, all, Paulo Matias and Gustavo Nunes Pereira reported an issue with gvfsd-dav to the Ubuntu bugtracker: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1502912 This appears to be an independant rediscovery of an issue already known to the GNOME project: https://bugzilla.gnome.org/show_bug.cgi?id=743298 which was reported by Gabor Kelemen. The gvfsd-dav code appears to unescape some pathnames from a file server that do not need to be unescaped and crashes when the input is malformed. The upstream fix is (for master, gnome-3-14, gnome-3-12): https://git.gnome.org/browse/gvfs/commit/?id=f81ff2108ab3b6e370f20dcadd8708d23f499184 https://git.gnome.org/browse/gvfs/commit/?id=abc69427fc9985f6bc1ebe9a14d645f4805deca4 https://git.gnome.org/browse/gvfs/commit/?id=0abdd97989d5274d84017490aff3bf07a71fd672 Please assign a CVE. Thanks Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.