gvfs 1.41.91-1ubuntu1 source package in Ubuntu

Changelog

gvfs (1.41.91-1ubuntu1) eoan; urgency=medium

  * Revert upstream changes to port to fuse 3. This is in universe in Ubuntu
    and we'll need to work out how to move over.

gvfs (1.41.91-1) experimental; urgency=medium

  [ Simon McVittie ]
  * Add bug number and CVE ID to previous changelog entry

  [ Iain Lane ]
  * debian/watch: Find unstable versions
  * New upstream release
    + admin: Add query_info_on_read/write functionality (CVE-2019-12448)
    + admin: Allow changing file owner (CVE-2019-12447)
    + admin: Ensure correct ownership when moving to file:// uri
      (CVE-2019-12449)
    + admin: Prevent core dumps when daemon is manually started
    + admin: Use fsuid to ensure correct file ownership (CVE-2019-12447)
    + afc: Remove assumptions about length of device UUID to support new
      devices
    + afp: Fix afp backend crash when no username supplied
    + build: Add dependency on gsettings-desktop-schemas
    + build: Bump required meson version to 0.50.0
    + build: Define gvfs_rpath for libgvfsdaemon.so
    + build: Several meson improvements
    + daemon: Check that the connecting client is the same user
      (CVE-2019-12795)
    + daemon: Only accept EXTERNAL authentication (CVE-2019-12795)
    + daemon/udisks2: Handle lockdown option to disable writing
    + daemon: Unify some translatable strings
    + fuse: Adapt gvfsd-fuse to use fuse 3.x
    + fuse: Define RENAME_* macros when they are not defined
    + fuse: Remove max_write limit
    + gmountsource: Fix deadlocks in synchronous API
    + google: Check ownership in is_owner() without additional HTTP request
    + google: Disable deletion of non-empty directories
    + google: Do not enumerate volatile entries if title matches id
    + google: Fix crashes when deleting if the file isn't found
    + google: Fix issue with stale entries remaining after rename operation
    + google: Support deleting shared Google Drive files
    + proxy: Don't leak a GVfsDBusDaemon
    + udisks2: Change display name for crypto_unknown devices
  * debian/patches: Drop backported patches. We're further ahead now.

gvfs (1.40.1-3) experimental; urgency=medium

  * Team upload
  * d/p/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch:
    Add missing authentication, preventing a local attacker from connecting
    to an abstract socket address learned from netstat(8) and issuing
    arbitrary D-Bus method calls
    (Closes: #930376, CVE-2019-12795)
  * d/p/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch:
    Harden private D-Bus connection by rejecting the more complicated
    DBUS_COOKIE_SHA1 authentication mechanism and only accepting EXTERNAL

gvfs (1.40.1-2) experimental; urgency=medium

  * Team upload
  * Update from upstream gnome-3-32 branch, commit 1.40.1-9-gec939a01,
    to fix the admin backend
    (Closes: #929755)
    - Implement query_info_on_read/write to fix some race conditions
      (CVE-2019-12448)
    - Ensure that created files get the correct ownership (CVE-2019-12247)
    - Ensure that copied files get the correct ownership (CVE-2019-12449)
    - Fix deadlocks in synchronous API
    - Various fixes for afc backend
    - Update translation: zh_CN
  * Remove obsolete version number from fuse dependency.
    gvfs needs fuse (>= 2.8.4), but that version is older than oldstable,
    so we can safely simplify to "Depends: fuse".
    The versioned dependency is not satisfied by fuse3's unversioned
    "Provides: fuse", but the unversioned dependency is. (Closes: #927221)

 -- Iain Lane <email address hidden>  Wed, 21 Aug 2019 12:33:35 +0100