Bug#933535: buster-pu: package glib2.0/2.58.3-2+deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#933535: buster-pu: package glib2.0/2.58.3-2+deb10u1
From: Simon McVittie <smcv@debian.org>
Date: Wed, 31 Jul 2019 11:13:09 +0100
Message-id: <[🔎] 20190731101309.GA8295@espresso.pseudorandom.co.uk>
Reply-to: Simon McVittie <smcv@debian.org>, 933535@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster d-i
User: release.debian.org@packages.debian.org
Usertags: pu

GLib in buster is vulnerable to CVE-2019-13012 (configuration files
and directories created with more open permissions than intended),
which the security team have indicated is too minor for a DSA.
<https://bugs.debian.org/931234>

GLib has a udeb, so this technically needs a d-i ack, although I can't
imagine why d-i would either use GKeyfileSettingsBackend or care about
the resulting permissions.

I have deliberately not attempted to address
<https://bugs.debian.org/896019> in this upload: that will be a much
more intrusive change which should definitely go through unstable first,
and I don't want to delay a simple CVE fix for that.

Successfully tested on a buster GNOME virtual machine. I'll test on real
hardware before uploading.

    smcv

diffstat for glib2.0-2.58.3 glib2.0-2.58.3

 changelog                                              |   11 +++++
 gbp.conf                                               |    2 
 patches/keyfile-settings-Use-tighter-permissions.patch |   36 +++++++++++++++++
 patches/series                                         |    1 
 4 files changed, 49 insertions(+), 1 deletion(-)

diff -Nru glib2.0-2.58.3/debian/changelog glib2.0-2.58.3/debian/changelog
--- glib2.0-2.58.3/debian/changelog	2019-06-03 22:37:45.000000000 +0100
+++ glib2.0-2.58.3/debian/changelog	2019-07-30 10:41:51.000000000 +0100
@@ -1,3 +1,14 @@
+glib2.0 (2.58.3-2+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * d/p/keyfile-settings-Use-tighter-permissions.patch:
+    Backport patch from upstream 2.60.0 so that the GKeyFile settings
+    backend creates ~/.config and configuration files with restrictive
+    permissions (Closes: #931234, CVE-2019-13012)
+  * d/gbp.conf: Swap branch to debian/buster
+
+ -- Simon McVittie <smcv@debian.org>  Tue, 30 Jul 2019 10:41:51 +0100
+
 glib2.0 (2.58.3-2) unstable; urgency=medium
 
   * Team upload
diff -Nru glib2.0-2.58.3/debian/gbp.conf glib2.0-2.58.3/debian/gbp.conf
--- glib2.0-2.58.3/debian/gbp.conf	2019-06-03 22:37:45.000000000 +0100
+++ glib2.0-2.58.3/debian/gbp.conf	2019-07-30 10:41:51.000000000 +0100
@@ -1,6 +1,6 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = debian/master
+debian-branch = debian/buster
 upstream-branch = upstream/2.58.x
 upstream-vcs-tag = %(version)s
 
diff -Nru glib2.0-2.58.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch glib2.0-2.58.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch
--- glib2.0-2.58.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch	1970-01-01 01:00:00.000000000 +0100
+++ glib2.0-2.58.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch	2019-07-30 10:41:51.000000000 +0100
@@ -0,0 +1,36 @@
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Tue, 22 Jan 2019 13:26:31 -0500
+Subject: keyfile settings: Use tighter permissions
+
+When creating directories, create them with 700 permissions,
+instead of 777.
+
+Closes: #1658
+Origin: backport, 2.60.0, commit:5e4da714f00f6bfb2ccd6d73d61329c6f3a08429
+---
+ gio/gkeyfilesettingsbackend.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
+index a37978e..580a0b0 100644
+--- a/gio/gkeyfilesettingsbackend.c
++++ b/gio/gkeyfilesettingsbackend.c
+@@ -89,7 +89,8 @@ g_keyfile_settings_backend_keyfile_write (GKeyfileSettingsBackend *kfsb)
+ 
+   contents = g_key_file_to_data (kfsb->keyfile, &length, NULL);
+   g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE,
+-                           G_FILE_CREATE_REPLACE_DESTINATION,
++                           G_FILE_CREATE_REPLACE_DESTINATION |
++                           G_FILE_CREATE_PRIVATE,
+                            NULL, NULL, NULL);
+ 
+   compute_checksum (kfsb->digest, contents, length);
+@@ -640,7 +641,7 @@ g_keyfile_settings_backend_new (const gchar *filename,
+ 
+   kfsb->file = g_file_new_for_path (filename);
+   kfsb->dir = g_file_get_parent (kfsb->file);
+-  g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
++  g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700);
+ 
+   kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL);
+   kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL);
diff -Nru glib2.0-2.58.3/debian/patches/series glib2.0-2.58.3/debian/patches/series
--- glib2.0-2.58.3/debian/patches/series	2019-06-03 22:37:45.000000000 +0100
+++ glib2.0-2.58.3/debian/patches/series	2019-07-30 10:41:51.000000000 +0100
@@ -2,6 +2,7 @@
 mainloop-test-Fix-race-conditions.patch
 closures-test-Avoid-timeout-on-ARM64-CPUs.patch
 gfile-Limit-access-to-files-when-copying.patch
+keyfile-settings-Use-tighter-permissions.patch
 01_gettext-desktopfiles.patch
 81-skip-monitor-test-on-non-linux.patch
 0001-timer-test-use-volatile-for-locals.patch

Reply to:

Prev by Date: Bug#933523: debian-installer: efivarfs isn't mounted, install on efi system fails at grub dummy installation
Next by Date: Bug#933523: debian-installer: efivarfs isn't mounted, install on efi system fails at grub dummy installation
Previous by thread: Bug#933523: debian-installer: efivarfs isn't mounted, install on efi system fails at grub dummy installation
Next by thread: Upcoming oldstable point release (9.10)
Index(es):
- Date
- Thread