Create patch to fix upstream gvfs issues

[Douglas R. Reno]

As a result of the security update for Glib earlier this month, another set of security issues was found in gvfs. These allow for permission/access control bypass and file modification while transfer operations are in place.

I'm going to gen a patch with all of the commits except for translation updates since the release of gvfs-1.40.1.

​https://gitlab.gnome.org/GNOME/gvfs/commits/gnome-3-32

[Douglas R. Reno]

CVE-2019-12795

daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.)

​https://nvd.nist.gov/vuln/detail/CVE-2019-12795

7.8 HIGH

CVE-2019-12447

An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid is not used.

9.8 CRITICAL

​https://nvd.nist.gov/vuln/detail/CVE-2019-12447

CVE-2019-12448

An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c has race conditions because the admin backend doesn't implement query_info_on_read/write.

8.1 HIGH

​https://nvd.nist.gov/vuln/detail/CVE-2019-12448/

CVE-2019-12449

An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles a file's user and group ownership during move (and copy with G_FILE_COPY_ALL_METADATA) operations from admin:// to file:// URIs, because root privileges are unavailable.

9.8 CRITICAL

​https://nvd.nist.gov/vuln/detail/CVE-2019-12449/

[Douglas R. Reno]

Fixed at r21768