SB2019072232 - Race condition in gvfs (Alpine package)

Description

This security bulletin contains information about 1 vulnerability.

1) Race condition (CVE-ID: CVE-2019-12448)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability exists due to race conditions in the daemon/gvfsbackendadmin.c source code file because the admin backend does not implement the query_info_on_read/write functionality. A remote attacker can send a request with malicious input to the system and cause race condition that will allow to overwrite or access sensitive information or cause a DoS condition.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=0c012f09fb2eecc434fec5eab8c7ca78095c950a
• https://git.alpinelinux.org/aports/commit/?id=948e97dea02e32af012be430d5f87345a6263d46
• https://git.alpinelinux.org/aports/commit/?id=fe8e3f960f8c6ccd7df3b8175b21a261be8fc006
• https://git.alpinelinux.org/aports/commit/?id=5c7126a9f9c0fa81ccbcb651ea056d1c02540fbe
• https://git.alpinelinux.org/aports/commit/?id=60a89bb75d82e71f7b44cc05bf8f024f66ddfd23