Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:gvfs User: [email protected] Usertags: pu
[ Reason ] I'm updating the gvfs package with security fixes backported from upstream that has been deemed not-DSA-worthy by the security team. They are thus submitted as proposed updates. [ Impact ] The impact are 2 security issues: * FTP Bounce attack - malicious PASV replies can probe open ports on client network. * Improper CR/LF sanitation - can lead to injection of arbitrary FTP commands. [ Tests ] Test results are available in debusine: https://debusine.debian.net/debian/developers/work-request/540205/ [ Risks ] I don't see any immediate risks, as the fixes are from upstream and are already in unstable/testing, etc. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Cherry-pick upstream commits: https://gitlab.gnome.org/GNOME/gvfs/-/commit/30b89fc61ef620dfa81492f68a21ee1fdb7021f3 https://gitlab.gnome.org/GNOME/gvfs/-/commit/447ee8a32fe56529bf92c0a733f6d35e724c2689 - the last one needed some manual conflict resolution to apply to bookworm version of gvfs. [ Other info ] Me handling this SPU is acked by smcv of the Debian Gnome Team. I've already filed a similar bug report for SPU. I will likely go ahead and upload semi-immediately (unless I hear different) as previously discussed in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128227#29 See also https://security-tracker.debian.org/tracker/source-package/gvfs
diff -Nru gvfs-1.50.3/debian/changelog gvfs-1.50.3/debian/changelog --- gvfs-1.50.3/debian/changelog 2023-01-09 18:10:14.000000000 +0100 +++ gvfs-1.50.3/debian/changelog 2026-03-29 04:15:46.000000000 +0200 @@ -1,3 +1,14 @@ +gvfs (1.50.3-1+deb12u1) bookworm; urgency=high + + * Non-maintainer upload by the LTS Security Team. + * CVE-2026-28295 ftp: Use control connection address for PASV data + (Closes: #1129285) + * CVE-2026-28296 ftp: Reject paths containing CR/LF characters + (Closes: #1129286) + * debian/gbp.conf: Set debian branch to debian/bookworm + + -- Andreas Henriksson <[email protected]> Sun, 29 Mar 2026 04:15:46 +0200 + gvfs (1.50.3-1) unstable; urgency=medium [ Jeremy Bicha ] diff -Nru gvfs-1.50.3/debian/gbp.conf gvfs-1.50.3/debian/gbp.conf --- gvfs-1.50.3/debian/gbp.conf 2023-01-09 18:10:14.000000000 +0100 +++ gvfs-1.50.3/debian/gbp.conf 2026-03-29 04:14:32.000000000 +0200 @@ -1,6 +1,6 @@ [DEFAULT] pristine-tar = True -debian-branch = debian/master +debian-branch = debian/bookworm upstream-branch = upstream/latest upstream-vcs-tag = %(version)s diff -Nru gvfs-1.50.3/debian/patches/ftp-Reject-paths-containing-CR-LF-characters.patch gvfs-1.50.3/debian/patches/ftp-Reject-paths-containing-CR-LF-characters.patch --- gvfs-1.50.3/debian/patches/ftp-Reject-paths-containing-CR-LF-characters.patch 1970-01-01 01:00:00.000000000 +0100 +++ gvfs-1.50.3/debian/patches/ftp-Reject-paths-containing-CR-LF-characters.patch 2026-03-29 04:12:10.000000000 +0200 @@ -0,0 +1,334 @@ +From: Ondrej Holy <[email protected]> +Date: Thu, 19 Feb 2026 11:24:09 +0100 +Subject: ftp: Reject paths containing CR/LF characters + +Currently, an FTP backend doesn't verify paths. Path with CR/LF can +inject extra commands to the server. Let's validate the paths and fail +with "Filename contains invalid characters." if that happens. + +Co-Authored-By: Cursor <[email protected]> + +Fixes: https://gitlab.gnome.org/GNOME/gvfs/-/issues/833 +Part-of: <https://gitlab.gnome.org/GNOME/gvfs/-/merge_requests/298> +(cherry picked from commit 447ee8a32fe56529bf92c0a733f6d35e724c2689) +--- + daemon/gvfsbackendftp.c | 126 +++++++++++++++++++++++++++++++++++++++++------- + daemon/gvfsftpfile.c | 22 ++++++--- + daemon/gvfsftpfile.h | 3 +- + 3 files changed, 126 insertions(+), 25 deletions(-) + +diff --git a/daemon/gvfsbackendftp.c b/daemon/gvfsbackendftp.c +index 17f893e..ffe5488 100644 +--- a/daemon/gvfsbackendftp.c ++++ b/daemon/gvfsbackendftp.c +@@ -866,9 +866,14 @@ do_open_for_read (GVfsBackend *backend, + error_550_permission_or_not_found, + NULL }; + +- g_vfs_ftp_task_setup_data_connection (&task); +- file = g_vfs_ftp_file_new_from_gvfs (ftp, filename); ++ file = g_vfs_ftp_file_new_from_gvfs (ftp, filename, &task.error); ++ if (file == NULL) ++ { ++ g_vfs_ftp_task_done (&task); ++ return; ++ } + ++ g_vfs_ftp_task_setup_data_connection (&task); + g_vfs_ftp_task_send_and_check (&task, + G_VFS_FTP_PASS_100 | G_VFS_FTP_FAIL_200, + open_read_handlers, +@@ -987,7 +992,13 @@ do_create (GVfsBackend *backend, + GFileInfo *info; + GVfsFtpFile *file; + +- file = g_vfs_ftp_file_new_from_gvfs (ftp, filename); ++ file = g_vfs_ftp_file_new_from_gvfs (ftp, filename, &task.error); ++ if (file == NULL) ++ { ++ g_vfs_ftp_task_done (&task); ++ return; ++ } ++ + info = g_vfs_ftp_dir_cache_lookup_file (ftp->dir_cache, &task, file, FALSE); + if (info) + { +@@ -1017,7 +1028,13 @@ do_append (GVfsBackend *backend, + GVfsFtpTask task = G_VFS_FTP_TASK_INIT (ftp, G_VFS_JOB (job)); + GVfsFtpFile *file; + +- file = g_vfs_ftp_file_new_from_gvfs (ftp, filename); ++ file = g_vfs_ftp_file_new_from_gvfs (ftp, filename, &task.error); ++ if (file == NULL) ++ { ++ g_vfs_ftp_task_done (&task); ++ return; ++ } ++ + do_start_write (&task, flags, "APPE %s", g_vfs_ftp_file_get_ftp_path (file)); + g_vfs_ftp_dir_cache_purge_file (ftp->dir_cache, file); + g_vfs_ftp_file_free (file); +@@ -1039,14 +1056,25 @@ do_replace (GVfsBackend *backend, + static const GVfsFtpErrorFunc rnfr_handlers[] = { error_550_permission_or_not_found, + NULL }; + +- file = g_vfs_ftp_file_new_from_gvfs (ftp, filename); ++ file = g_vfs_ftp_file_new_from_gvfs (ftp, filename, &task.error); ++ if (file == NULL) ++ { ++ g_vfs_ftp_task_done (&task); ++ return; ++ } + + if (make_backup) + { + GFileInfo *info; + char *backup_path = g_strconcat (filename, "~", NULL); +- backupfile = g_vfs_ftp_file_new_from_gvfs (ftp, backup_path); ++ backupfile = g_vfs_ftp_file_new_from_gvfs (ftp, backup_path, &task.error); + g_free (backup_path); ++ if (backupfile == NULL) ++ { ++ g_vfs_ftp_file_free (file); ++ g_vfs_ftp_task_done (&task); ++ return; ++ } + + info = g_vfs_ftp_dir_cache_lookup_file (ftp->dir_cache, &task, file, FALSE); + +@@ -1116,7 +1144,7 @@ do_close_write (GVfsBackend *backend, + + stream = g_vfs_ftp_connection_get_data_stream (conn); + filename = g_object_get_data (G_OBJECT (stream), "g-vfs-backend-ftp-filename"); +- file = g_vfs_ftp_file_new_from_gvfs (ftp, filename); ++ file = g_vfs_ftp_file_new_from_gvfs (ftp, filename, NULL); + + g_vfs_ftp_task_give_connection (&task, handle); + g_vfs_ftp_task_close_data_connection (&task); +@@ -1168,8 +1196,14 @@ do_query_info (GVfsBackend *backend, + GVfsFtpTask task = G_VFS_FTP_TASK_INIT (ftp, G_VFS_JOB (job)); + GVfsFtpFile *file; + GFileInfo *real; +- +- file = g_vfs_ftp_file_new_from_gvfs (ftp, filename); ++ ++ file = g_vfs_ftp_file_new_from_gvfs (ftp, filename, &task.error); ++ if (file == NULL) ++ { ++ g_vfs_ftp_task_done (&task); ++ return; ++ } ++ + real = g_vfs_ftp_dir_cache_lookup_file (ftp->dir_cache, + &task, + file, +@@ -1237,7 +1271,12 @@ do_set_attribute (GVfsBackend *backend, + GVfsFtpTask task = G_VFS_FTP_TASK_INIT (ftp, G_VFS_JOB (job)); + GVfsFtpFile *file; + +- file = g_vfs_ftp_file_new_from_gvfs (ftp, filename); ++ file = g_vfs_ftp_file_new_from_gvfs (ftp, filename, &task.error); ++ if (file == NULL) ++ { ++ g_vfs_ftp_task_done (&task); ++ return; ++ } + + if (strcmp (attribute, G_FILE_ATTRIBUTE_UNIX_MODE) == 0) + { +@@ -1293,7 +1332,13 @@ do_enumerate (GVfsBackend *backend, + GVfsFtpFile *dir; + GList *list, *walk; + +- dir = g_vfs_ftp_file_new_from_gvfs (ftp, dirname); ++ dir = g_vfs_ftp_file_new_from_gvfs (ftp, dirname, &task.error); ++ if (dir == NULL) ++ { ++ g_vfs_ftp_task_done (&task); ++ return; ++ } ++ + list = g_vfs_ftp_dir_cache_lookup_dir (ftp->dir_cache, + &task, + dir, +@@ -1335,9 +1380,23 @@ do_set_display_name (GVfsBackend *backend, + GVfsFtpTask task = G_VFS_FTP_TASK_INIT (ftp, G_VFS_JOB (job)); + GVfsFtpFile *original, *dir, *now; + +- original = g_vfs_ftp_file_new_from_gvfs (ftp, filename); ++ original = g_vfs_ftp_file_new_from_gvfs (ftp, filename, &task.error); ++ if (original == NULL) ++ { ++ g_vfs_ftp_task_done (&task); ++ return; ++ } ++ + dir = g_vfs_ftp_file_new_parent (original); + now = g_vfs_ftp_file_new_child (dir, display_name, &task.error); ++ if (now == NULL) ++ { ++ g_vfs_ftp_file_free (original); ++ g_vfs_ftp_file_free (dir); ++ g_vfs_ftp_task_done (&task); ++ return; ++ } ++ + g_vfs_ftp_task_send (&task, + G_VFS_FTP_PASS_300 | G_VFS_FTP_FAIL_200, + "RNFR %s", g_vfs_ftp_file_get_ftp_path (original)); +@@ -1367,7 +1426,13 @@ do_delete (GVfsBackend *backend, + + /* We try file deletion first. If that fails, we try directory deletion. + * The file-first-then-directory order has been decided by coin-toss. */ +- file = g_vfs_ftp_file_new_from_gvfs (ftp, filename); ++ file = g_vfs_ftp_file_new_from_gvfs (ftp, filename, &task.error); ++ if (file == NULL) ++ { ++ g_vfs_ftp_task_done (&task); ++ return; ++ } ++ + response = g_vfs_ftp_task_send (&task, + G_VFS_FTP_PASS_500, + "DELE %s", g_vfs_ftp_file_get_ftp_path (file)); +@@ -1415,7 +1480,13 @@ do_make_directory (GVfsBackend *backend, + GVfsFtpFile *file; + static const GVfsFtpErrorFunc make_directory_handlers[] = { error_550_exists, error_550_parent_not_found, NULL }; + +- file = g_vfs_ftp_file_new_from_gvfs (ftp, filename); ++ file = g_vfs_ftp_file_new_from_gvfs (ftp, filename, &task.error); ++ if (file == NULL) ++ { ++ g_vfs_ftp_task_done (&task); ++ return; ++ } ++ + g_vfs_ftp_task_send_and_check (&task, + 0, + make_directory_handlers, +@@ -1446,6 +1517,21 @@ do_move (GVfsBackend *backend, + static const GVfsFtpErrorFunc rnfr_handlers[] = { error_550_permission_or_not_found, + NULL }; + ++ srcfile = g_vfs_ftp_file_new_from_gvfs (ftp, source, &task.error); ++ if (srcfile == NULL) ++ { ++ g_vfs_ftp_task_done (&task); ++ return; ++ } ++ ++ destfile = g_vfs_ftp_file_new_from_gvfs (ftp, destination, &task.error); ++ if (destfile == NULL) ++ { ++ g_vfs_ftp_file_free (srcfile); ++ g_vfs_ftp_task_done (&task); ++ return; ++ } ++ + /* FIXME: what about G_FILE_COPY_NOFOLLOW_SYMLINKS and G_FILE_COPY_ALL_METADATA? */ + + if (flags & G_FILE_COPY_BACKUP) +@@ -1473,8 +1559,6 @@ do_move (GVfsBackend *backend, + return; + } + +- srcfile = g_vfs_ftp_file_new_from_gvfs (ftp, source); +- destfile = g_vfs_ftp_file_new_from_gvfs (ftp, destination); + if (g_vfs_ftp_task_try_cd (&task, destfile)) + { + char *basename = g_path_get_basename (source); +@@ -1611,8 +1695,14 @@ do_pull (GVfsBackend * backend, + GInputStream *input; + GOutputStream *output; + goffset total_size = 0; +- +- src = g_vfs_ftp_file_new_from_gvfs (ftp, source); ++ ++ src = g_vfs_ftp_file_new_from_gvfs (ftp, source, &task.error); ++ if (src == NULL) ++ { ++ g_vfs_ftp_task_done (&task); ++ return; ++ } ++ + dest = g_file_new_for_path (local_path); + + if (remove_source && (flags & G_FILE_COPY_NO_FALLBACK_FOR_MOVE)) +diff --git a/daemon/gvfsftpfile.c b/daemon/gvfsftpfile.c +index 17ec718..77361e1 100644 +--- a/daemon/gvfsftpfile.c ++++ b/daemon/gvfsftpfile.c +@@ -68,19 +68,29 @@ g_vfs_ftp_file_compute_gvfs_path (const char *ftp_path) + * g_vfs_ftp_file_new_from_gvfs: + * @ftp: the ftp backend this file is to be used on + * @gvfs_path: gvfs path to create the file from ++ * @error: location to take an eventual error or %NULL + * +- * Constructs a new #GVfsFtpFile representing the given gvfs path. ++ * Constructs a new #GVfsFtpFile representing the given gvfs path. If the ++ * display name is invalid, @error is set and %NULL is returned. + * +- * Returns: a new file ++ * Returns: a new file or %NULL on error + **/ + GVfsFtpFile * +-g_vfs_ftp_file_new_from_gvfs (GVfsBackendFtp *ftp, const char *gvfs_path) ++g_vfs_ftp_file_new_from_gvfs (GVfsBackendFtp *ftp, const char *gvfs_path, GError **error) + { + GVfsFtpFile *file; + + g_return_val_if_fail (G_VFS_IS_BACKEND_FTP (ftp), NULL); + g_return_val_if_fail (gvfs_path != NULL, NULL); + ++ if (strpbrk (gvfs_path, "\r\n") != NULL) ++ { ++ g_set_error_literal (error, ++ G_IO_ERROR, G_IO_ERROR_INVALID_FILENAME, ++ _("Filename contains invalid characters.")); ++ return NULL; ++ } ++ + file = g_slice_new (GVfsFtpFile); + file->backend = g_object_ref (ftp); + file->gvfs_path = g_strdup (gvfs_path); +@@ -136,7 +146,7 @@ g_vfs_ftp_file_new_parent (const GVfsFtpFile *file) + return g_vfs_ftp_file_copy (file); + + dirname = g_path_get_dirname (file->gvfs_path); +- dir = g_vfs_ftp_file_new_from_gvfs (file->backend, dirname); ++ dir = g_vfs_ftp_file_new_from_gvfs (file->backend, dirname, NULL); + g_free (dirname); + + return dir; +@@ -163,7 +173,7 @@ g_vfs_ftp_file_new_child (const GVfsFtpFile *parent, const char *display_name, G + g_return_val_if_fail (parent != NULL, NULL); + g_return_val_if_fail (display_name != NULL, NULL); + +- if (strpbrk (display_name, "/\r\n")) ++ if (strchr (display_name, '/') != NULL) + { + g_set_error_literal (error, + G_IO_ERROR, G_IO_ERROR_INVALID_FILENAME, +@@ -172,7 +182,7 @@ g_vfs_ftp_file_new_child (const GVfsFtpFile *parent, const char *display_name, G + } + + new_path = g_strconcat (parent->gvfs_path, parent->gvfs_path[1] == 0 ? "" : "/", display_name, NULL); +- child = g_vfs_ftp_file_new_from_gvfs (parent->backend, new_path); ++ child = g_vfs_ftp_file_new_from_gvfs (parent->backend, new_path, error); + g_free (new_path); + return child; + } +diff --git a/daemon/gvfsftpfile.h b/daemon/gvfsftpfile.h +index 52f216e..186f2e9 100644 +--- a/daemon/gvfsftpfile.h ++++ b/daemon/gvfsftpfile.h +@@ -31,7 +31,8 @@ G_BEGIN_DECLS + typedef struct _GVfsFtpFile GVfsFtpFile; + + GVfsFtpFile * g_vfs_ftp_file_new_from_gvfs (GVfsBackendFtp * ftp, +- const char * gvfs_path); ++ const char * gvfs_path, ++ GError ** error); + GVfsFtpFile * g_vfs_ftp_file_new_from_ftp (GVfsBackendFtp * ftp, + const char * ftp_path); + GVfsFtpFile * g_vfs_ftp_file_new_parent (const GVfsFtpFile * file); diff -Nru gvfs-1.50.3/debian/patches/ftp-Use-control-connection-address-for-PASV-data.patch gvfs-1.50.3/debian/patches/ftp-Use-control-connection-address-for-PASV-data.patch --- gvfs-1.50.3/debian/patches/ftp-Use-control-connection-address-for-PASV-data.patch 1970-01-01 01:00:00.000000000 +0100 +++ gvfs-1.50.3/debian/patches/ftp-Use-control-connection-address-for-PASV-data.patch 2026-03-29 04:12:10.000000000 +0200 @@ -0,0 +1,152 @@ +From: Ondrej Holy <[email protected]> +Date: Thu, 19 Feb 2026 15:45:53 +0100 +Subject: ftp: Use control connection address for PASV data + +Currently, `PASV` uses the IP from the server reply when creating data +connection. This may allow FTP bounce attacks. Let's always use only the +port from the PASV reply and connect to the control connection address. + +Co-Authored-By: Cursor <[email protected]> + +Fixes: https://gitlab.gnome.org/GNOME/gvfs/-/issues/832 +Part-of: <https://gitlab.gnome.org/GNOME/gvfs/-/merge_requests/298> +(cherry picked from commit 30b89fc61ef620dfa81492f68a21ee1fdb7021f3) +--- + daemon/gvfsbackendftp.c | 5 ++-- + daemon/gvfsbackendftp.h | 1 - + daemon/gvfsftptask.c | 66 ++++++++++--------------------------------------- + 3 files changed, 15 insertions(+), 57 deletions(-) + +diff --git a/daemon/gvfsbackendftp.c b/daemon/gvfsbackendftp.c +index 8f69e44..17f893e 100644 +--- a/daemon/gvfsbackendftp.c ++++ b/daemon/gvfsbackendftp.c +@@ -63,9 +63,8 @@ + * GVfsFtpMethod: + * @G_VFS_FTP_METHOD_UNKNOWN: method has not yet been determined + * @G_VFS_FTP_METHOD_EPSV: use EPSV command +- * @G_VFS_FTP_METHOD_PASV: use PASV command +- * @G_VFS_FTP_METHOD_PASV_ADDR: use PASV command, but ignore the returned +- * address and only use it's port ++ * @G_VFS_FTP_METHOD_PASV: use PASV command, but ignore the returned address ++ * and only use it's port (bounce attack prevention) + * @G_VFS_FTP_METHOD_EPRT: use the EPRT command + * @G_VFS_FTP_METHOD_PORT: use the PORT command + * +diff --git a/daemon/gvfsbackendftp.h b/daemon/gvfsbackendftp.h +index e4c03cf..3e84937 100644 +--- a/daemon/gvfsbackendftp.h ++++ b/daemon/gvfsbackendftp.h +@@ -61,7 +61,6 @@ typedef enum { + G_VFS_FTP_METHOD_ANY = 0, + G_VFS_FTP_METHOD_EPSV, + G_VFS_FTP_METHOD_PASV, +- G_VFS_FTP_METHOD_PASV_ADDR, + G_VFS_FTP_METHOD_EPRT, + G_VFS_FTP_METHOD_PORT + } GVfsFtpMethod; +diff --git a/daemon/gvfsftptask.c b/daemon/gvfsftptask.c +index e44f806..0bef8b5 100644 +--- a/daemon/gvfsftptask.c ++++ b/daemon/gvfsftptask.c +@@ -850,7 +850,7 @@ fail: + static GVfsFtpMethod + g_vfs_ftp_task_setup_data_connection_pasv (GVfsFtpTask *task, GVfsFtpMethod method) + { +- guint ip1, ip2, ip3, ip4, port1, port2; ++ guint port1, port2; + char **reply; + const char *s; + GSocketAddress *addr; +@@ -866,10 +866,8 @@ g_vfs_ftp_task_setup_data_connection_pasv (GVfsFtpTask *task, GVfsFtpMethod meth + */ + for (s = reply[0]; *s; s++) + { +- if (sscanf (s, "%u,%u,%u,%u,%u,%u", +- &ip1, &ip2, &ip3, &ip4, +- &port1, &port2) == 6) +- break; ++ if (sscanf (s, "%*u,%*u,%*u,%*u,%u,%u", &port1, &port2) == 2) ++ break; + } + if (*s == 0) + { +@@ -880,52 +878,16 @@ g_vfs_ftp_task_setup_data_connection_pasv (GVfsFtpTask *task, GVfsFtpMethod meth + } + g_strfreev (reply); + +- if (method == G_VFS_FTP_METHOD_PASV || method == G_VFS_FTP_METHOD_ANY) +- { +- guint8 ip[4]; +- GInetAddress *inet_addr; +- +- ip[0] = ip1; +- ip[1] = ip2; +- ip[2] = ip3; +- ip[3] = ip4; +- inet_addr = g_inet_address_new_from_bytes (ip, G_SOCKET_FAMILY_IPV4); +- addr = g_inet_socket_address_new (inet_addr, port1 << 8 | port2); +- g_object_unref (inet_addr); +- +- success = g_vfs_ftp_connection_open_data_connection (task->conn, +- addr, +- task->cancellable, +- &task->error); +- g_object_unref (addr); +- if (success) +- return G_VFS_FTP_METHOD_PASV; +- if (g_vfs_ftp_task_is_in_error (task) && method != G_VFS_FTP_METHOD_ANY) +- return G_VFS_FTP_METHOD_ANY; +- +- g_vfs_ftp_task_clear_error (task); +- } +- +- if (method == G_VFS_FTP_METHOD_PASV_ADDR || method == G_VFS_FTP_METHOD_ANY) +- { +- /* Workaround code: +- * Various ftp servers aren't setup correctly when behind a NAT. They report +- * their own IP address (like 10.0.0.4) and not the address in front of the +- * NAT. But this is likely the same address that we connected to with our +- * command connetion. So if the address given by PASV fails, we fall back +- * to the address of the command stream. +- */ +- addr = g_vfs_ftp_task_create_remote_address (task, port1 << 8 | port2); +- if (addr == NULL) +- return G_VFS_FTP_METHOD_ANY; +- success = g_vfs_ftp_connection_open_data_connection (task->conn, +- addr, +- task->cancellable, +- &task->error); +- g_object_unref (addr); +- if (success) +- return G_VFS_FTP_METHOD_PASV_ADDR; +- } ++ addr = g_vfs_ftp_task_create_remote_address (task, port1 << 8 | port2); ++ if (addr == NULL) ++ return G_VFS_FTP_METHOD_ANY; ++ success = g_vfs_ftp_connection_open_data_connection (task->conn, ++ addr, ++ task->cancellable, ++ &task->error); ++ g_object_unref (addr); ++ if (success) ++ return G_VFS_FTP_METHOD_PASV; + + return G_VFS_FTP_METHOD_ANY; + } +@@ -1121,7 +1083,6 @@ g_vfs_ftp_task_setup_data_connection (GVfsFtpTask *task) + [G_VFS_FTP_METHOD_ANY] = g_vfs_ftp_task_setup_data_connection_any, + [G_VFS_FTP_METHOD_EPSV] = g_vfs_ftp_task_setup_data_connection_epsv, + [G_VFS_FTP_METHOD_PASV] = g_vfs_ftp_task_setup_data_connection_pasv, +- [G_VFS_FTP_METHOD_PASV_ADDR] = g_vfs_ftp_task_setup_data_connection_pasv, + [G_VFS_FTP_METHOD_EPRT] = g_vfs_ftp_task_setup_data_connection_eprt, + [G_VFS_FTP_METHOD_PORT] = g_vfs_ftp_task_setup_data_connection_port + }; +@@ -1152,7 +1113,6 @@ g_vfs_ftp_task_setup_data_connection (GVfsFtpTask *task) + [G_VFS_FTP_METHOD_ANY] = "any", + [G_VFS_FTP_METHOD_EPSV] = "EPSV", + [G_VFS_FTP_METHOD_PASV] = "PASV", +- [G_VFS_FTP_METHOD_PASV_ADDR] = "PASV with workaround", + [G_VFS_FTP_METHOD_EPRT] = "EPRT", + [G_VFS_FTP_METHOD_PORT] = "PORT" + }; diff -Nru gvfs-1.50.3/debian/patches/series gvfs-1.50.3/debian/patches/series --- gvfs-1.50.3/debian/patches/series 2023-01-09 18:10:14.000000000 +0100 +++ gvfs-1.50.3/debian/patches/series 2026-03-29 04:13:28.000000000 +0200 @@ -5,3 +5,5 @@ 0008-Skip-the-umockdev-test.patch 0009-gvfs-test-Increase-timeout-to-10s.patch Remove-version-from-polkit-gobject-dependency.patch +ftp-Use-control-connection-address-for-PASV-data.patch +ftp-Reject-paths-containing-CR-LF-characters.patch
