CVE-2019-12449

An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles a file's user and group ownership during move (and copy with G_FILE_COPY_ALL_METADATA) operations from admin:// to file:// URIs, because root privileges are unavailable.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.7 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
VendorProductVersion
gnomegvfs
1.29.4 ≤
𝑥
≤ 1.41.2
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
18.10
canonicalubuntu_linux
19.04
opensuseleap
15.0
opensuseleap
15.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gvfs
bullseye
1.46.2-1
fixed
stretch
no-dsa
jessie
not-affected
bookworm
1.50.3-1
fixed
sid
1.56.1-1
fixed
trixie
1.56.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gvfs
disco
Fixed 1.40.1-1ubuntu0.1
released
cosmic
Fixed 1.38.1-0ubuntu1.3.2
released
bionic
Fixed 1.36.1-0ubuntu1.3.3
released
xenial
not-affected
trusty
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00008.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00009.html
http://www.openwall.com/lists/oss-security/2019/07/09/3
https://gitlab.gnome.org/GNOME/gvfs/commit/409619412e11be146a31b9a99ed965925f1aabb8
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FP6BFQUPQRVRRFIYHFWWB6RHJNEB4LGQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M2DQVOL5H5BVLXYCEB763DCIYJQ7ZUQ2/
https://usn.ubuntu.com/4053-1/
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00008.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00009.html
http://www.openwall.com/lists/oss-security/2019/07/09/3
https://gitlab.gnome.org/GNOME/gvfs/commit/409619412e11be146a31b9a99ed965925f1aabb8
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FP6BFQUPQRVRRFIYHFWWB6RHJNEB4LGQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M2DQVOL5H5BVLXYCEB763DCIYJQ7ZUQ2/
https://usn.ubuntu.com/4053-1/