CVE-2019-3827

Priority
Description
An incorrect permission check in the admin backend in gvfs before version
1.39.4 was found that allows reading and modify arbitrary files by
privileged users without asking for password when no authentication agent
is running. This vulnerability can be exploited by malicious programs
running under privileges of users belonging to the wheel group to further
escalate its privileges by modifying system files without user's knowledge.
Successful exploitation requires uncommon system configuration.
Assigned-to
leosilva
Notes
debianAffecting vgfs since 1.29.4 where admin backend was introduced.
Package
Source: gvfs (LP Ubuntu Debian)
Upstream:released (1.38.1-3)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [code not present])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not present)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.36.1-0ubuntu1.3)
More Information

Updated: 2020-01-29 20:05:17 UTC (commit 768ceb2fdee6790d707d0f681e1b54916744af1e)