Bug 1728567 (CVE-2019-12449) - CVE-2019-12449 gvfs: mishandling of file's user and group ownership in daemon/gvfsbackendadmin.c due to unavailability of root privileges
Summary: CVE-2019-12449 gvfs: mishandling of file's user and group ownership in daemon...
Alias: CVE-2019-12449
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1728568 1753971 1753972 1753973
Blocks: 1728569
TreeView+ depends on / blocked
Reported: 2019-07-10 07:26 UTC by Dhananjay Arunesh
Modified: 2020-04-28 16:33 UTC (History)
1 user (show)

Fixed In Version: gvfs 1.41.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-04-28 16:33:20 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1766 0 None None None 2020-04-28 15:51:03 UTC

Description Dhananjay Arunesh 2019-07-10 07:26:39 UTC
An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles a file's user and group ownership during move (and copy with G_FILE_COPY_ALL_METADATA) operations from admin:// to file:// URIs, because root privileges are unavailable.

Upstream commit:

Comment 1 Dhananjay Arunesh 2019-07-10 07:26:51 UTC
Created gvfs tracking bugs for this issue:

Affects: fedora-all [bug 1728568]

Comment 3 Riccardo Schirone 2019-09-20 10:02:45 UTC
When copying a file from admin:// to file://, the target file is owned by the regular user instead of being owned by root. This could become an issue because the regular user may get access to confidential info through the copied file.

Comment 4 Riccardo Schirone 2019-09-20 10:05:13 UTC
Attack Vector set to Network (AV:N) as the vulnerability can be triggered in any application that makes use of gvfs and can use the admin:// backend.
Attack Complexity set to High (AC:H) because even though any network application could use the admin:// backend provided by gvfs, you must have the authorization of an admin user to access root-owned files and a way to access the copied files afterwards.
Privileged Required set to Low (PR:L) because the attacker needs to have at least some access on the vulnerable system to read the copied file accessible by the regular user.
User Interaction set to Required (UI:R) as usually an operation with the admin:// backend requires the user to provide a password to elevate his privileges.
Confidentiality set to High (C:H) because the file copied from the admin:// backend is accessible by a regular user and some confidential info could be leaked.

Comment 5 Riccardo Schirone 2019-09-20 11:44:20 UTC

Comment 7 errata-xmlrpc 2020-04-28 15:51:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1766 https://access.redhat.com/errata/RHSA-2020:1766

Comment 8 Product Security DevOps Team 2020-04-28 16:33:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.