SB2019072232 - Race condition in gvfs (Alpine package)

Description

This security bulletin contains information about 1 security vulnerability.

1) Race condition (CVE-ID: CVE-2019-12448)

The vulnerability exists due to race conditions in the daemon/gvfsbackendadmin.c source code file because the admin backend does not implement the query_info_on_read/write functionality. A remote attacker can send a request with malicious input to the system and cause race condition that will allow to overwrite or access sensitive information or cause a DoS condition.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=0c012f09fb2eecc434fec5eab8c7ca78095c950a
• https://git.alpinelinux.org/aports/commit/?id=948e97dea02e32af012be430d5f87345a6263d46
• https://git.alpinelinux.org/aports/commit/?id=fe8e3f960f8c6ccd7df3b8175b21a261be8fc006
• https://git.alpinelinux.org/aports/commit/?id=5c7126a9f9c0fa81ccbcb651ea056d1c02540fbe
• https://git.alpinelinux.org/aports/commit/?id=60a89bb75d82e71f7b44cc05bf8f024f66ddfd23