[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 1826-1] glib2.0 security update

Hi Sylvain,

On  Di 18 Jun 2019 22:47:44 CEST, Sylvain Beucler wrote:

Package        : glib2.0
Version        : 2.42.1-1+deb8u1
CVE ID         : CVE-2019-12450
Debian Bug     : 929753

It was discovered that GLib does not properly restrict some file
permissions while a copy operation is in progress; instead, default
permissions are used.

For Debian 8 "Jessie", this problem has been fixed in version

We recommend that you upgrade your glib2.0 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

I wonder, if it would be good to have this upstream patch backported to jessie's glib2.0, too, to have the file permission stuff complete:

From 5e4da714f00f6bfb2ccd6d73d61329c6f3a08429 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Tue, 22 Jan 2019 13:26:31 -0500
Subject: [PATCH] keyfile settings: Use tighter permissions

When creating directories, create them with 700 permissions,
instead of 777.

Closes: #1658
 gio/gkeyfilesettingsbackend.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/gio/gkeyfilesettingsbackend.c
+++ b/gio/gkeyfilesettingsbackend.c
@@ -89,7 +89,8 @@

   contents = g_key_file_to_data (kfsb->keyfile, &length, NULL);
   g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE,
-                           G_FILE_CREATE_REPLACE_DESTINATION,
+                           G_FILE_CREATE_REPLACE_DESTINATION |
+                           G_FILE_CREATE_PRIVATE,
                            NULL, NULL, NULL);

   compute_checksum (kfsb->digest, contents, length);
@@ -640,7 +641,7 @@

   kfsb->file = g_file_new_for_path (filename);
   kfsb->dir = g_file_get_parent (kfsb->file);
-  g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
+  g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700);

   kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL);
   kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL);


The patch was not explicitly mentioned in the CVE, but I stumbled over it when fixing glib2.0 for wheezy ELTS last month. (Unfortunately, the g_mkdir_with_parents() symbol is not in jessie, for wheezy I skipped the safe directory creation part).


c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgp3QAY3kCO7f.pgp
Description: Digitale PGP-Signatur

Reply to: