Security advisories for Debian have identified serious vulnerabilities affecting both the gvfs virtual filesystem and the libxml-parser-perl module used in older distributions. Researchers at Codean Labs found that attackers could exploit FTP bounce mechanisms to probe client networks or inject commands via flawed CRLF validation within gvfs. A separate risk involves a heap-based buffer overflow in the Perl parser when handling deeply nested XML elements which impacts bookworm and trixie versions.

Debian GNU/Linux 9 (Stretch) ELTS:
ELA-1668-1 gvfs security update

Debian GNU/Linux 10 (Buster) ELTS:
ELA-1667-1 gvfs security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4513-1] gvfs security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6182-1] libxml-parser-perl security update

[SECURITY] [DLA 4513-1] gvfs security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4513-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
March 28, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : gvfs
Version : 1.46.2-2+deb11u1
CVE ID : CVE-2026-28295 CVE-2026-28296
Debian Bug : 1129285 1129286

Codean Labs found that gvfs, a virtual filesystem implementation, was
affected by multiple vulnerabililies including FTP bounce attack
which could lead to probing open ports on client network and
improper CRLF validation which could allow an attacker to inject arbitrary FTP
commands.

CVE-2026-28295

A malicious FTP server can exploit this vulnerability by providing an
arbitrary IP address and port in its passive mode (PASV) response. The
client unconditionally trusts this information and attempts to connect to
the specified endpoint, allowing the malicious server to probe for open
ports accessible from the client's network.

CVE-2026-28296

A remote attacker could exploit this input validation vulnerability by
supplying specially crafted file paths containing carriage return and line
feed (CRLF) sequences. These unsanitized sequences allow the attacker to
terminate intended FTP commands and inject arbitrary FTP commands,
potentially leading to arbitrary code execution or other severe impacts.

For Debian 11 bullseye, these problems have been fixed in version
1.46.2-2+deb11u1.

We recommend that you upgrade your gvfs packages.

For the detailed security status of gvfs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gvfs

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6182-1] libxml-parser-perl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6182-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 28, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libxml-parser-perl
CVE ID : CVE-2006-10003
Debian Bug : 378412

Joris van Rantwijk discovered that libxml-parser-perl, a Perl module for
parsing XML files, is prone to a heap-based buffer overflow flaw when
parsing an XML file with very deep element nesting.

For the oldstable distribution (bookworm), this problem has been fixed
in version 2.46-4+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 2.47-2~deb13u1.

We recommend that you upgrade your libxml-parser-perl packages.

For the detailed security status of libxml-parser-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxml-parser-perl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1668-1 gvfs security update

Package : gvfs
Version : 1.30.4-1+deb9u1 (stretch)

Related CVEs :
CVE-2019-3827
CVE-2019-12447
CVE-2019-12448
CVE-2019-12449
CVE-2019-12795
CVE-2026-28295
CVE-2026-28296

Multiple vulnerabilities have been identified in gvfs, the GNOME virtual
filesystem layer responsible for providing user-space access to local and
remote filesystems via various backends (e.g. ftp://, admin://, etc.)
Codean Labs found that gvfs ftp:// backend had vulnerabilities including ftp
bounce attack that could expose which ports where open on the clients internal
network and improper CRLF validation which could allow an attacker to inject
arbitrary FTP commands.
The admin:// backend was found to have multiple issues including incorrect
permission check that allows reading and modify arbitrary files by privileged
users without asking for password when no authentication agent is running,
mishandles file ownership because setfsuid is not used, race conditions because
the admin backend doesn’t implement query_info_on_read/write, mishandles a
file’s user and group ownership during move and copy operations from admin://
to file:// URIs because root privileges are unavailable.
The gvfs daemon opened a private D-Bus server socket without configuring an
authorization rule. This could allow a local attacker to connect and issue
D-Bus method calls.

ELA-1668-1 gvfs security update

ELA-1667-1 gvfs security update

Package : gvfs

Version : 1.38.1-5+deb10u1 (buster)

Related CVEs :
CVE-2026-28295
CVE-2026-28296

Codean Labs found that gvfs, a virtual filesystem implementation, was
affected by multiple vulnerabililies including FTP bounce attack
which could lead to probing open ports on client network and
improper CRLF validation which could allow an attacker to inject arbitrary FTP
commands.

ELA-1667-1 gvfs security update