[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#933535: marked as done (buster-pu: package glib2.0/2.58.3-2+deb10u1)

Your message dated Sat, 07 Sep 2019 14:34:49 +0100
with message-id <[🔎] f49e2985d8466065c49c03185c24465a32228fb5.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes including in 10.1 point release
has caused the Debian Bug report #933535,
regarding buster-pu: package glib2.0/2.58.3-2+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
933535: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933535
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster d-i
User: release.debian.org@packages.debian.org
Usertags: pu

GLib in buster is vulnerable to CVE-2019-13012 (configuration files
and directories created with more open permissions than intended),
which the security team have indicated is too minor for a DSA.
<https://bugs.debian.org/931234>

GLib has a udeb, so this technically needs a d-i ack, although I can't
imagine why d-i would either use GKeyfileSettingsBackend or care about
the resulting permissions.

I have deliberately not attempted to address
<https://bugs.debian.org/896019> in this upload: that will be a much
more intrusive change which should definitely go through unstable first,
and I don't want to delay a simple CVE fix for that.

Successfully tested on a buster GNOME virtual machine. I'll test on real
hardware before uploading.

    smcv

diffstat for glib2.0-2.58.3 glib2.0-2.58.3

 changelog                                              |   11 +++++
 gbp.conf                                               |    2 
 patches/keyfile-settings-Use-tighter-permissions.patch |   36 +++++++++++++++++
 patches/series                                         |    1 
 4 files changed, 49 insertions(+), 1 deletion(-)

diff -Nru glib2.0-2.58.3/debian/changelog glib2.0-2.58.3/debian/changelog
--- glib2.0-2.58.3/debian/changelog	2019-06-03 22:37:45.000000000 +0100
+++ glib2.0-2.58.3/debian/changelog	2019-07-30 10:41:51.000000000 +0100
@@ -1,3 +1,14 @@
+glib2.0 (2.58.3-2+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * d/p/keyfile-settings-Use-tighter-permissions.patch:
+    Backport patch from upstream 2.60.0 so that the GKeyFile settings
+    backend creates ~/.config and configuration files with restrictive
+    permissions (Closes: #931234, CVE-2019-13012)
+  * d/gbp.conf: Swap branch to debian/buster
+
+ -- Simon McVittie <smcv@debian.org>  Tue, 30 Jul 2019 10:41:51 +0100
+
 glib2.0 (2.58.3-2) unstable; urgency=medium
 
   * Team upload
diff -Nru glib2.0-2.58.3/debian/gbp.conf glib2.0-2.58.3/debian/gbp.conf
--- glib2.0-2.58.3/debian/gbp.conf	2019-06-03 22:37:45.000000000 +0100
+++ glib2.0-2.58.3/debian/gbp.conf	2019-07-30 10:41:51.000000000 +0100
@@ -1,6 +1,6 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = debian/master
+debian-branch = debian/buster
 upstream-branch = upstream/2.58.x
 upstream-vcs-tag = %(version)s
 
diff -Nru glib2.0-2.58.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch glib2.0-2.58.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch
--- glib2.0-2.58.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch	1970-01-01 01:00:00.000000000 +0100
+++ glib2.0-2.58.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch	2019-07-30 10:41:51.000000000 +0100
@@ -0,0 +1,36 @@
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Tue, 22 Jan 2019 13:26:31 -0500
+Subject: keyfile settings: Use tighter permissions
+
+When creating directories, create them with 700 permissions,
+instead of 777.
+
+Closes: #1658
+Origin: backport, 2.60.0, commit:5e4da714f00f6bfb2ccd6d73d61329c6f3a08429
+---
+ gio/gkeyfilesettingsbackend.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
+index a37978e..580a0b0 100644
+--- a/gio/gkeyfilesettingsbackend.c
++++ b/gio/gkeyfilesettingsbackend.c
+@@ -89,7 +89,8 @@ g_keyfile_settings_backend_keyfile_write (GKeyfileSettingsBackend *kfsb)
+ 
+   contents = g_key_file_to_data (kfsb->keyfile, &length, NULL);
+   g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE,
+-                           G_FILE_CREATE_REPLACE_DESTINATION,
++                           G_FILE_CREATE_REPLACE_DESTINATION |
++                           G_FILE_CREATE_PRIVATE,
+                            NULL, NULL, NULL);
+ 
+   compute_checksum (kfsb->digest, contents, length);
+@@ -640,7 +641,7 @@ g_keyfile_settings_backend_new (const gchar *filename,
+ 
+   kfsb->file = g_file_new_for_path (filename);
+   kfsb->dir = g_file_get_parent (kfsb->file);
+-  g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
++  g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700);
+ 
+   kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL);
+   kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL);
diff -Nru glib2.0-2.58.3/debian/patches/series glib2.0-2.58.3/debian/patches/series
--- glib2.0-2.58.3/debian/patches/series	2019-06-03 22:37:45.000000000 +0100
+++ glib2.0-2.58.3/debian/patches/series	2019-07-30 10:41:51.000000000 +0100
@@ -2,6 +2,7 @@
 mainloop-test-Fix-race-conditions.patch
 closures-test-Avoid-timeout-on-ARM64-CPUs.patch
 gfile-Limit-access-to-files-when-copying.patch
+keyfile-settings-Use-tighter-permissions.patch
 01_gettext-desktopfiles.patch
 81-skip-monitor-test-on-non-linux.patch
 0001-timer-test-use-volatile-for-locals.patch

--- End Message ---
--- Begin Message --- 
Version: 10.1

Hi,

The fixes referenced by each of these bugs were included in today's
buster point release.

Regards,

Adam

--- End Message ---
Reply to: