CVE-2019-3827 (retired)

An incorrect permission check in the admin backend in gvfs before version
1.39.4 was found that allows reading and modify arbitrary files by
privileged users without asking for password when no authentication agent
is running. This vulnerability can be exploited by malicious programs
running under privileges of users belonging to the wheel group to further
escalate its privileges by modifying system files without user's knowledge.
Successful exploitation requires uncommon system configuration.
 debian> Affecting vgfs since 1.29.4 where admin backend was introduced.
Source: gvfs (LP Ubuntu Debian)
Upstream:released (1.38.1-3)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not present)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.36.1-0ubuntu1.3)
Ubuntu 18.10 (Cosmic Cuttlefish):released (1.38.1-0ubuntu1.2)
Ubuntu 19.04 (Disco Dingo):released (1.39.90-1)
More Information

Updated: 2019-03-29 02:14:58 UTC (commit 4f84fe790cebaab8768c0c369531aca9c55f7450)