Bug#933535: buster-pu: package glib2.0/2.58.3-2+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster d-i
User: release.debian.org@packages.debian.org
Usertags: pu
GLib in buster is vulnerable to CVE-2019-13012 (configuration files
and directories created with more open permissions than intended),
which the security team have indicated is too minor for a DSA.
<https://bugs.debian.org/931234>
GLib has a udeb, so this technically needs a d-i ack, although I can't
imagine why d-i would either use GKeyfileSettingsBackend or care about
the resulting permissions.
I have deliberately not attempted to address
<https://bugs.debian.org/896019> in this upload: that will be a much
more intrusive change which should definitely go through unstable first,
and I don't want to delay a simple CVE fix for that.
Successfully tested on a buster GNOME virtual machine. I'll test on real
hardware before uploading.
smcv
diffstat for glib2.0-2.58.3 glib2.0-2.58.3
changelog | 11 +++++
gbp.conf | 2
patches/keyfile-settings-Use-tighter-permissions.patch | 36 +++++++++++++++++
patches/series | 1
4 files changed, 49 insertions(+), 1 deletion(-)
diff -Nru glib2.0-2.58.3/debian/changelog glib2.0-2.58.3/debian/changelog
--- glib2.0-2.58.3/debian/changelog 2019-06-03 22:37:45.000000000 +0100
+++ glib2.0-2.58.3/debian/changelog 2019-07-30 10:41:51.000000000 +0100
@@ -1,3 +1,14 @@
+glib2.0 (2.58.3-2+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * d/p/keyfile-settings-Use-tighter-permissions.patch:
+ Backport patch from upstream 2.60.0 so that the GKeyFile settings
+ backend creates ~/.config and configuration files with restrictive
+ permissions (Closes: #931234, CVE-2019-13012)
+ * d/gbp.conf: Swap branch to debian/buster
+
+ -- Simon McVittie <smcv@debian.org> Tue, 30 Jul 2019 10:41:51 +0100
+
glib2.0 (2.58.3-2) unstable; urgency=medium
* Team upload
diff -Nru glib2.0-2.58.3/debian/gbp.conf glib2.0-2.58.3/debian/gbp.conf
--- glib2.0-2.58.3/debian/gbp.conf 2019-06-03 22:37:45.000000000 +0100
+++ glib2.0-2.58.3/debian/gbp.conf 2019-07-30 10:41:51.000000000 +0100
@@ -1,6 +1,6 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian/master
+debian-branch = debian/buster
upstream-branch = upstream/2.58.x
upstream-vcs-tag = %(version)s
diff -Nru glib2.0-2.58.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch glib2.0-2.58.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch
--- glib2.0-2.58.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch 1970-01-01 01:00:00.000000000 +0100
+++ glib2.0-2.58.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch 2019-07-30 10:41:51.000000000 +0100
@@ -0,0 +1,36 @@
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Tue, 22 Jan 2019 13:26:31 -0500
+Subject: keyfile settings: Use tighter permissions
+
+When creating directories, create them with 700 permissions,
+instead of 777.
+
+Closes: #1658
+Origin: backport, 2.60.0, commit:5e4da714f00f6bfb2ccd6d73d61329c6f3a08429
+---
+ gio/gkeyfilesettingsbackend.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
+index a37978e..580a0b0 100644
+--- a/gio/gkeyfilesettingsbackend.c
++++ b/gio/gkeyfilesettingsbackend.c
+@@ -89,7 +89,8 @@ g_keyfile_settings_backend_keyfile_write (GKeyfileSettingsBackend *kfsb)
+
+ contents = g_key_file_to_data (kfsb->keyfile, &length, NULL);
+ g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE,
+- G_FILE_CREATE_REPLACE_DESTINATION,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE,
+ NULL, NULL, NULL);
+
+ compute_checksum (kfsb->digest, contents, length);
+@@ -640,7 +641,7 @@ g_keyfile_settings_backend_new (const gchar *filename,
+
+ kfsb->file = g_file_new_for_path (filename);
+ kfsb->dir = g_file_get_parent (kfsb->file);
+- g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
++ g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700);
+
+ kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL);
+ kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL);
diff -Nru glib2.0-2.58.3/debian/patches/series glib2.0-2.58.3/debian/patches/series
--- glib2.0-2.58.3/debian/patches/series 2019-06-03 22:37:45.000000000 +0100
+++ glib2.0-2.58.3/debian/patches/series 2019-07-30 10:41:51.000000000 +0100
@@ -2,6 +2,7 @@
mainloop-test-Fix-race-conditions.patch
closures-test-Avoid-timeout-on-ARM64-CPUs.patch
gfile-Limit-access-to-files-when-copying.patch
+keyfile-settings-Use-tighter-permissions.patch
01_gettext-desktopfiles.patch
81-skip-monitor-test-on-non-linux.patch
0001-timer-test-use-volatile-for-locals.patch
Reply to: