An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles a file's user and group ownership during move (and copy with G_FILE_COPY_ALL_METADATA) operations from admin:// to file:// URIs, because root privileges are unavailable. Upstream commit: https://gitlab.gnome.org/GNOME/gvfs/commit/d5dfd823c94045488aef8727c553f1e0f7666b90
Created gvfs tracking bugs for this issue: Affects: fedora-all [bug 1728568]
When copying a file from admin:// to file://, the target file is owned by the regular user instead of being owned by root. This could become an issue because the regular user may get access to confidential info through the copied file.
Attack Vector set to Network (AV:N) as the vulnerability can be triggered in any application that makes use of gvfs and can use the admin:// backend. Attack Complexity set to High (AC:H) because even though any network application could use the admin:// backend provided by gvfs, you must have the authorization of an admin user to access root-owned files and a way to access the copied files afterwards. Privileged Required set to Low (PR:L) because the attacker needs to have at least some access on the vulnerable system to read the copied file accessible by the regular user. User Interaction set to Required (UI:R) as usually an operation with the admin:// backend requires the user to provide a password to elevate his privileges. Confidentiality set to High (C:H) because the file copied from the admin:// backend is accessible by a regular user and some confidential info could be leaked.
Reference: https://www.openwall.com/lists/oss-security/2019/07/09/3
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1766 https://access.redhat.com/errata/RHSA-2020:1766
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-12449