安全公告详情

NS-SA-2019-0238

2019-12-27 14:15:32

简介

moderate: gvfs/compat-libtiff3 security update

严重级别

moderate

主题

An update for gvfs/compat-libtiff3 is now available for NewStart CGSL MAIN 5.05/CGSL CORE 5.05.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

gvfs: This package provides support for accessing files inside Zip and Tar archives, as well as ISO images, to applications using gvfs.
compat-libtiff3: The libtiff3 package provides libtiff 3, an older version of libtiff library for manipulating TIFF (Tagged Image File Format) image format files. This version should be used only if you are unable to use the current version of libtiff.


Security Fix(es):
gvfs: An incorrect permission check in the admin backend in gvfs was found that allows reading and modify arbitrary files by privileged users without asking for password when no authentication agent is running. This vulnerability can be exploited by malicious programs running under privileges of users belonging to the wheel group to further escalate its privileges by modifying system files without user's knowledge. Successful exploitation requires uncommon system configuration.(CVE-2019-3827)
gvfs: bugfix
compat-libtiff3: A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)(CVE-2018-7456)
compat-libtiff3: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.05.F7.

影响组件

  • gvfs
  • compat-libtiff3

影响产品

  • CGSL MAIN 5.05
  • CGSL CORE 5.05

更新包

{"fix":[{"product":"CGSL MAIN 5.05","pkgs":[{"binary":["gvfs-archive-1.36.2-3.el7.x86_64.rpm","gvfs-client-1.36.2-3.el7.x86_64.rpm","gvfs-debuginfo-1.36.2-3.el7.x86_64.rpm","gvfs-devel-1.36.2-3.el7.x86_64.rpm","gvfs-fuse-1.36.2-3.el7.x86_64.rpm","gvfs-goa-1.36.2-3.el7.x86_64.rpm","gvfs-gphoto2-1.36.2-3.el7.x86_64.rpm","gvfs-mtp-1.36.2-3.el7.x86_64.rpm","gvfs-smb-1.36.2-3.el7.x86_64.rpm","gvfs-tests-1.36.2-3.el7.x86_64.rpm","gvfs-1.36.2-3.el7.x86_64.rpm","gvfs-afc-1.36.2-3.el7.x86_64.rpm","gvfs-afp-1.36.2-3.el7.x86_64.rpm"],"source":"gvfs-1.36.2-3.el7.src.rpm"},{"binary":["compat-libtiff3-3.9.4-12.el7.x86_64.rpm","compat-libtiff3-debuginfo-3.9.4-12.el7.x86_64.rpm"],"source":"compat-libtiff3-3.9.4-12.el7.src.rpm"}]},{"product":"CGSL CORE 5.05","pkgs":[{"binary":["gvfs-1.36.2-3.el7.x86_64.rpm","gvfs-afc-1.36.2-3.el7.x86_64.rpm","gvfs-afp-1.36.2-3.el7.x86_64.rpm","gvfs-archive-1.36.2-3.el7.x86_64.rpm","gvfs-client-1.36.2-3.el7.x86_64.rpm","gvfs-debuginfo-1.36.2-3.el7.x86_64.rpm","gvfs-devel-1.36.2-3.el7.x86_64.rpm","gvfs-fuse-1.36.2-3.el7.x86_64.rpm","gvfs-goa-1.36.2-3.el7.x86_64.rpm","gvfs-gphoto2-1.36.2-3.el7.x86_64.rpm","gvfs-mtp-1.36.2-3.el7.x86_64.rpm","gvfs-smb-1.36.2-3.el7.x86_64.rpm","gvfs-tests-1.36.2-3.el7.x86_64.rpm"],"source":"gvfs-1.36.2-3.el7.src.rpm"},{"binary":["compat-libtiff3-3.9.4-12.el7.x86_64.rpm","compat-libtiff3-debuginfo-3.9.4-12.el7.x86_64.rpm"],"source":"compat-libtiff3-3.9.4-12.el7.src.rpm"}]}]}

CVE

参考