-------------------------------------------------------------------------
Debian LTS Advisory DLA-4513-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
March 28, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : gvfs
Version : 1.46.2-2+deb11u1
CVE ID : CVE-2026-28295 CVE-2026-28296
Debian Bug : 1129285 1129286
Codean Labs found that gvfs, a virtual filesystem implementation, was
affected by multiple vulnerabililies including FTP bounce attack
which could lead to probing open ports on client network and
improper CRLF validation which could allow an attacker to inject arbitrary FTP
commands.
CVE-2026-28295
A malicious FTP server can exploit this vulnerability by providing an
arbitrary IP address and port in its passive mode (PASV) response. The
client unconditionally trusts this information and attempts to connect to
the specified endpoint, allowing the malicious server to probe for open
ports accessible from the client's network.
CVE-2026-28296
A remote attacker could exploit this input validation vulnerability by
supplying specially crafted file paths containing carriage return and line
feed (CRLF) sequences. These unsanitized sequences allow the attacker to
terminate intended FTP commands and inject arbitrary FTP commands,
potentially leading to arbitrary code execution or other severe impacts.
For Debian 11 bullseye, these problems have been fixed in version
1.46.2-2+deb11u1.
We recommend that you upgrade your gvfs packages.
For the detailed security status of gvfs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gvfs
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature