This is a version of #63481 for master.
CVE-2019-12447:
daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid is
not used.
CVE-2019-12448:
daemon/gvfsbackendadmin.c has race conditions because the admin backend
doesn't implement query_info_on_read/write.
CVE-2019-12449:
daemon/gvfsbackendadmin.c mishandles a file's user and group ownership
during move (and copy with G_FILE_COPY_ALL_METADATA) operations
from admin:// to file:// URIs, because root privileges are unavailable.
Upstream MR: https://gitlab.gnome.org/GNOME/gvfs/merge_requests/48
02ea0d3959