Bug 1728567 (CVE-2019-12449)

Summary: CVE-2019-12449 gvfs: mishandling of file's user and group ownership in daemon/gvfsbackendadmin.c due to unavailability of root privileges
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: oholy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gvfs 1.41.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1753972, 1728568, 1753971, 1753973    
Bug Blocks: 1728569    

Description Dhananjay Arunesh 2019-07-10 07:26:39 UTC
An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles a file's user and group ownership during move (and copy with G_FILE_COPY_ALL_METADATA) operations from admin:// to file:// URIs, because root privileges are unavailable.

Upstream commit:
https://gitlab.gnome.org/GNOME/gvfs/commit/d5dfd823c94045488aef8727c553f1e0f7666b90

Comment 1 Dhananjay Arunesh 2019-07-10 07:26:51 UTC
Created gvfs tracking bugs for this issue:

Affects: fedora-all [bug 1728568]

Comment 3 Riccardo Schirone 2019-09-20 10:02:45 UTC
When copying a file from admin:// to file://, the target file is owned by the regular user instead of being owned by root. This could become an issue because the regular user may get access to confidential info through the copied file.

Comment 4 Riccardo Schirone 2019-09-20 10:05:13 UTC
Attack Vector set to Network (AV:N) as the vulnerability can be triggered in any application that makes use of gvfs and can use the admin:// backend.
Attack Complexity set to High (AC:H) because even though any network application could use the admin:// backend provided by gvfs, you must have the authorization of an admin user to access root-owned files and a way to access the copied files afterwards.
Privileged Required set to Low (PR:L) because the attacker needs to have at least some access on the vulnerable system to read the copied file accessible by the regular user.
User Interaction set to Required (UI:R) as usually an operation with the admin:// backend requires the user to provide a password to elevate his privileges.
Confidentiality set to High (C:H) because the file copied from the admin:// backend is accessible by a regular user and some confidential info could be leaked.

Comment 5 Riccardo Schirone 2019-09-20 11:44:20 UTC
Reference:
https://www.openwall.com/lists/oss-security/2019/07/09/3