Skip to navigation

Security Advisory Low: gnome-vfs2 security and bug fix update

Advisory: RHSA-2013:0131-1
Type: Security Advisory
Severity: Low
Issued on: 2013-01-08
Last updated on: 2013-01-08
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2009-2473

Details

Updated gnome-vfs2 packages that fix one security issue and several bugs
are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

The gnome-vfs2 packages provide the GNOME Virtual File System, which is the
foundation of the Nautilus file manager. neon is an HTTP and WebDAV client
library embedded in the gnome-vfs2 packages.

A denial of service flaw was found in the neon Extensible Markup Language
(XML) parser. Visiting a malicious DAV server with an application using
gnome-vfs2 (such as Nautilus) could possibly cause the application to
consume an excessive amount of CPU and memory. (CVE-2009-2473)

This update also fixes the following bugs:

* When extracted from the Uniform Resource Identifier (URI), gnome-vfs2
returned escaped file paths. If a path, as stored in the URI,
contained non-ASCII characters or ASCII characters which are parsed as
something other than a file path (for example, spaces), the escaped path
was inaccurate. Consequently, files with the described type of URI could
not be processed. With this update, gnome-vfs2 properly unescapes paths
that are required for a system call. As a result, these paths are parsed
properly. (BZ#580855)

* In certain cases, the trash info file was populated by foreign
entries, pointing to live data. Emptying the trash caused an accidental
deletion of valuable data. With this update, a workaround has been applied
in order to prevent the deletion. As a result, the accidental data loss is
prevented, however further information is still gathered to fully fix this
problem. (BZ#586015)

* Due to a wrong test checking for a destination file system, the Nautilus
file manager failed to delete a symbolic link to a folder which was
residing in another file system. With this update, a special test has been
added. As a result, a symbolic link pointing to another file system can be
trashed or deleted properly. (BZ#621394)

* Prior to this update, when directories without a read permission were
marked for copy, the Nautilus file manager skipped these unreadable
directories without notification. With this update, Nautilus displays an
error message and properly informs the user about the aforementioned
problem. (BZ#772307)

* Previously, gnome-vfs2 used the stat() function calls for every file on
the MultiVersion File System (MVFS), used for example by IBM Rational
ClearCase. This behavior significantly slowed down file operations. With
this update, the unnecessary stat() operations have been limited. As a
result, gnome-vfs2 user interfaces, such as Nautilus, are more responsive.
(BZ#822817)

All gnome-vfs2 users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
gnome-vfs2-2.16.2-10.el5.src.rpm
File outdated by:  RHBA-2013:1039
    MD5: f3e82be9f98fa9f458fdb3d422808312
SHA-256: 703ce09b35c75199dce491073da4449882c2e7d84790d40bb96a05cbae609293
 
IA-32:
gnome-vfs2-debuginfo-2.16.2-10.el5.i386.rpm
File outdated by:  RHBA-2013:1039
    MD5: bb17f264bd3f447bf2075dfa62d062a5
SHA-256: 333eab8e579e42e025327672b700acf195c3e97f59f3ed8a3ac367483eddd2b6
gnome-vfs2-devel-2.16.2-10.el5.i386.rpm
File outdated by:  RHBA-2013:1039
    MD5: a7e4d59f6e74a69a6de2f227e9232d32
SHA-256: 7d70a94a997f0269bd03e61c8f009d078e5cb1c056f6161e796968637263ee65
 
x86_64:
gnome-vfs2-debuginfo-2.16.2-10.el5.i386.rpm
File outdated by:  RHBA-2013:1039
    MD5: bb17f264bd3f447bf2075dfa62d062a5
SHA-256: 333eab8e579e42e025327672b700acf195c3e97f59f3ed8a3ac367483eddd2b6
gnome-vfs2-debuginfo-2.16.2-10.el5.x86_64.rpm
File outdated by:  RHBA-2013:1039
    MD5: de38644b0a9ec0fe5a236f9a209dcf07
SHA-256: ba2522dd989c87bff4718eb49451b2eb7bd49afb5c1b64e1ff40e5baf2716c97
gnome-vfs2-devel-2.16.2-10.el5.i386.rpm
File outdated by:  RHBA-2013:1039
    MD5: a7e4d59f6e74a69a6de2f227e9232d32
SHA-256: 7d70a94a997f0269bd03e61c8f009d078e5cb1c056f6161e796968637263ee65
gnome-vfs2-devel-2.16.2-10.el5.x86_64.rpm
File outdated by:  RHBA-2013:1039
    MD5: d419fe55a3baedbc1015351cc46e8e7d
SHA-256: 63cfc26f912a2c1368847804a65c6f930bdd6e0bbc7425f219b286296c0b4d6a
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
gnome-vfs2-2.16.2-10.el5.src.rpm
File outdated by:  RHBA-2013:1039
    MD5: f3e82be9f98fa9f458fdb3d422808312
SHA-256: 703ce09b35c75199dce491073da4449882c2e7d84790d40bb96a05cbae609293
 
IA-32:
gnome-vfs2-2.16.2-10.el5.i386.rpm
File outdated by:  RHBA-2013:1039
    MD5: 0e6b42ed70d90fb7cab2bd664f24e863
SHA-256: 4fe7eb7fd922476ae98b140cd331ebdc5334ebc72a1b795d004d524a5367d1f8
gnome-vfs2-debuginfo-2.16.2-10.el5.i386.rpm
File outdated by:  RHBA-2013:1039
    MD5: bb17f264bd3f447bf2075dfa62d062a5
SHA-256: 333eab8e579e42e025327672b700acf195c3e97f59f3ed8a3ac367483eddd2b6
gnome-vfs2-devel-2.16.2-10.el5.i386.rpm
File outdated by:  RHBA-2013:1039
    MD5: a7e4d59f6e74a69a6de2f227e9232d32
SHA-256: 7d70a94a997f0269bd03e61c8f009d078e5cb1c056f6161e796968637263ee65
gnome-vfs2-smb-2.16.2-10.el5.i386.rpm
File outdated by:  RHBA-2013:1039
    MD5: af0b05a8c64b3ba200435ea7e034aae4
SHA-256: 1cd49462faa58900aa66903857b3f49814057869f483dbf244c007b6a9bee8ae
 
IA-64:
gnome-vfs2-2.16.2-10.el5.ia64.rpm
File outdated by:  RHBA-2013:1039
    MD5: 08abb8e287201efc8fba2b2b62203322
SHA-256: 797326c7ae7c2722593992746725010e055f77867ea6d6d226704991a400c6b1
gnome-vfs2-debuginfo-2.16.2-10.el5.ia64.rpm
File outdated by:  RHBA-2013:1039
    MD5: 3bd34218f23172c7b8af19e39e364851
SHA-256: 8ed1fe0bdf48ed01aea3d1e3e2bf479ab08b3755453dca9e6e680f4985cf1e33
gnome-vfs2-devel-2.16.2-10.el5.ia64.rpm
File outdated by:  RHBA-2013:1039
    MD5: ef30eeffb20d9811d388b8f823ba94c8
SHA-256: 52f253c6b531432ea3e2e4e3a081fd793502436afe46a164ce91f30ffd029f09
gnome-vfs2-smb-2.16.2-10.el5.ia64.rpm
File outdated by:  RHBA-2013:1039
    MD5: 31fd1cb65248c48fa1f47a62b76c9383
SHA-256: 0282882cce58dc89140a7ed0c9864877e3c02f81be5ac16ec64a5737dba83f45
 
PPC:
gnome-vfs2-2.16.2-10.el5.ppc.rpm
File outdated by:  RHBA-2013:1039
    MD5: d09f6f432d16787e4fc29fc095590602
SHA-256: 98a0911c98ddc0b4b350f3bd067ad22ddaa143264e6aff157a064ca61c9e3bad
gnome-vfs2-2.16.2-10.el5.ppc64.rpm
File outdated by:  RHBA-2013:1039
    MD5: 305b753d96b35a6ccdc463eb82e679b6
SHA-256: 93307990a50aa6fce50ed2bc190adbb1979a0cbf099ca661105e04424aec24b3
gnome-vfs2-debuginfo-2.16.2-10.el5.ppc.rpm
File outdated by:  RHBA-2013:1039
    MD5: 62f5ab3870765e1ee0195a84ee1512fc
SHA-256: 7e0816b8d1272e14ae1ac9f5a2e6fca579758bc92b858367490e3abe1a832412
gnome-vfs2-debuginfo-2.16.2-10.el5.ppc64.rpm
File outdated by:  RHBA-2013:1039
    MD5: 7157da794d22f04adec2df98dcbfdd0c
SHA-256: 9e5fd62f9a15f35134a3754dbb8a970dfa55e29f5f75ceedb2c12d49daf99351
gnome-vfs2-devel-2.16.2-10.el5.ppc.rpm
File outdated by:  RHBA-2013:1039
    MD5: bf8501519aecccf99a4251d90a08e561
SHA-256: de89d8b0031a344ed16b1da14af81c187f25cd32014103b451c3c6e2ab91db3c
gnome-vfs2-devel-2.16.2-10.el5.ppc64.rpm
File outdated by:  RHBA-2013:1039
    MD5: c636943de38edf974c39e1f219a41c3f
SHA-256: bb79fcd7fb47e4c9186623f7fd5660003d744b46e119db3e76dbc3f4ea96742c
gnome-vfs2-smb-2.16.2-10.el5.ppc.rpm
File outdated by:  RHBA-2013:1039
    MD5: 36be9a547cc3b0020f5bbab2ce37619c
SHA-256: 2221d50bd46f0e3bcc81a0f5c7bb5757e2777688e8fb43d66acba59169dcc677
gnome-vfs2-smb-2.16.2-10.el5.ppc64.rpm
File outdated by:  RHBA-2013:1039
    MD5: e047465c8e2e420b8ffc630d8e14a7ea
SHA-256: 3e9dca485c75df28d021559354b406a67f596a445371326b163a02b0504c42a4
 
s390x:
gnome-vfs2-2.16.2-10.el5.s390.rpm
File outdated by:  RHBA-2013:1039
    MD5: faa795954cd48f167354efe8f19ddcdf
SHA-256: e9dfb7cad66c548015a0159d4bbf30cd6e87e1eec0bf9bf825913a5401e0b454
gnome-vfs2-2.16.2-10.el5.s390x.rpm
File outdated by:  RHBA-2013:1039
    MD5: 9bdf6164d4c12ba1cad38a33fcdb12a4
SHA-256: 5ada135c51f6d445dabe1e75edf6f458b6beac99c90c619100d5ee2f55a6adb5
gnome-vfs2-debuginfo-2.16.2-10.el5.s390.rpm
File outdated by:  RHBA-2013:1039
    MD5: b2a700dd178fc3045b796755eb4ac8f4
SHA-256: 5a21246d7989e2b06361fd664b94a407687e75c454741c0d111daac1787406a5
gnome-vfs2-debuginfo-2.16.2-10.el5.s390x.rpm
File outdated by:  RHBA-2013:1039
    MD5: 9a456c1aa7ffa8bef4b394b466005b15
SHA-256: 993c404c5eae2c8826480e91a28150a9c6922a25f3a458b93180df805ab4fbf4
gnome-vfs2-devel-2.16.2-10.el5.s390.rpm
File outdated by:  RHBA-2013:1039
    MD5: a0d1e58e6bb2eb5d766c791ddf3fb693
SHA-256: 9f474520ea032433e39c09fd6c37f7bf225ef98614519fba0d4dcc4619bce6a3
gnome-vfs2-devel-2.16.2-10.el5.s390x.rpm
File outdated by:  RHBA-2013:1039
    MD5: a608cc318176597b35368924b00b00a8
SHA-256: 041a879a1d2b2b9aab76179c049dd6fbb95e45d2b350c5f308b441281bda0a01
gnome-vfs2-smb-2.16.2-10.el5.s390x.rpm
File outdated by:  RHBA-2013:1039
    MD5: d8cd3435d1e6f22e54e9adfbe3940450
SHA-256: 9924d63919ddfa39968fa428dedcac5a692bd7ff380b7cd049082c32236d56a0
 
x86_64:
gnome-vfs2-2.16.2-10.el5.i386.rpm
File outdated by:  RHBA-2013:1039
    MD5: 0e6b42ed70d90fb7cab2bd664f24e863
SHA-256: 4fe7eb7fd922476ae98b140cd331ebdc5334ebc72a1b795d004d524a5367d1f8
gnome-vfs2-2.16.2-10.el5.x86_64.rpm
File outdated by:  RHBA-2013:1039
    MD5: 470fe0fe6c5c78bd5fd65aa4592a7c4c
SHA-256: c09e141c06365af3c80c329db1f101c43ebff8ec0e6c69e6eab3d7d0457d3641
gnome-vfs2-debuginfo-2.16.2-10.el5.i386.rpm
File outdated by:  RHBA-2013:1039
    MD5: bb17f264bd3f447bf2075dfa62d062a5
SHA-256: 333eab8e579e42e025327672b700acf195c3e97f59f3ed8a3ac367483eddd2b6
gnome-vfs2-debuginfo-2.16.2-10.el5.x86_64.rpm
File outdated by:  RHBA-2013:1039
    MD5: de38644b0a9ec0fe5a236f9a209dcf07
SHA-256: ba2522dd989c87bff4718eb49451b2eb7bd49afb5c1b64e1ff40e5baf2716c97
gnome-vfs2-devel-2.16.2-10.el5.i386.rpm
File outdated by:  RHBA-2013:1039
    MD5: a7e4d59f6e74a69a6de2f227e9232d32
SHA-256: 7d70a94a997f0269bd03e61c8f009d078e5cb1c056f6161e796968637263ee65
gnome-vfs2-devel-2.16.2-10.el5.x86_64.rpm
File outdated by:  RHBA-2013:1039
    MD5: d419fe55a3baedbc1015351cc46e8e7d
SHA-256: 63cfc26f912a2c1368847804a65c6f930bdd6e0bbc7425f219b286296c0b4d6a
gnome-vfs2-smb-2.16.2-10.el5.x86_64.rpm
File outdated by:  RHBA-2013:1039
    MD5: b43b1254a500b1f610c7519d24165a79
SHA-256: 7bec3568d3c90b0142af277cd6fddca15ccf2588889528e4ebfcc5d51098b326
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
gnome-vfs2-2.16.2-10.el5.src.rpm
File outdated by:  RHBA-2013:1039
    MD5: f3e82be9f98fa9f458fdb3d422808312
SHA-256: 703ce09b35c75199dce491073da4449882c2e7d84790d40bb96a05cbae609293
 
IA-32:
gnome-vfs2-2.16.2-10.el5.i386.rpm
File outdated by:  RHBA-2013:1039
    MD5: 0e6b42ed70d90fb7cab2bd664f24e863
SHA-256: 4fe7eb7fd922476ae98b140cd331ebdc5334ebc72a1b795d004d524a5367d1f8
gnome-vfs2-debuginfo-2.16.2-10.el5.i386.rpm
File outdated by:  RHBA-2013:1039
    MD5: bb17f264bd3f447bf2075dfa62d062a5
SHA-256: 333eab8e579e42e025327672b700acf195c3e97f59f3ed8a3ac367483eddd2b6
gnome-vfs2-smb-2.16.2-10.el5.i386.rpm
File outdated by:  RHBA-2013:1039
    MD5: af0b05a8c64b3ba200435ea7e034aae4
SHA-256: 1cd49462faa58900aa66903857b3f49814057869f483dbf244c007b6a9bee8ae
 
x86_64:
gnome-vfs2-2.16.2-10.el5.i386.rpm
File outdated by:  RHBA-2013:1039
    MD5: 0e6b42ed70d90fb7cab2bd664f24e863
SHA-256: 4fe7eb7fd922476ae98b140cd331ebdc5334ebc72a1b795d004d524a5367d1f8
gnome-vfs2-2.16.2-10.el5.x86_64.rpm
File outdated by:  RHBA-2013:1039
    MD5: 470fe0fe6c5c78bd5fd65aa4592a7c4c
SHA-256: c09e141c06365af3c80c329db1f101c43ebff8ec0e6c69e6eab3d7d0457d3641
gnome-vfs2-debuginfo-2.16.2-10.el5.i386.rpm
File outdated by:  RHBA-2013:1039
    MD5: bb17f264bd3f447bf2075dfa62d062a5
SHA-256: 333eab8e579e42e025327672b700acf195c3e97f59f3ed8a3ac367483eddd2b6
gnome-vfs2-debuginfo-2.16.2-10.el5.x86_64.rpm
File outdated by:  RHBA-2013:1039
    MD5: de38644b0a9ec0fe5a236f9a209dcf07
SHA-256: ba2522dd989c87bff4718eb49451b2eb7bd49afb5c1b64e1ff40e5baf2716c97
gnome-vfs2-smb-2.16.2-10.el5.x86_64.rpm
File outdated by:  RHBA-2013:1039
    MD5: b43b1254a500b1f610c7519d24165a79
SHA-256: 7bec3568d3c90b0142af277cd6fddca15ccf2588889528e4ebfcc5d51098b326
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

518215 - CVE-2009-2473 neon: billion laughs DoS attack
580855 - Cannot delete folder contents if the name of the folder contains spaces
621394 - can't delete symlink to other filesystem
822817 - Fix Gnome VFS components to not stat every file on an ClearCase mvfs filesystem
848822 - Problem while loading OAFIID: GNOME_Panel_TrashApplet


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/