Re: [SECURITY] [DLA 1826-1] glib2.0 security update

To: debian-lts@lists.debian.org
Subject: Re: [SECURITY] [DLA 1826-1] glib2.0 security update
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Mon, 24 Jun 2019 08:28:11 +0000
Message-id: <[🔎] 20190624082811.Horde.O3VJpe5dTcVDQgMgHMZ6jfV@mail.das-netzwerkteam.de>
In-reply-to: <20190618204744.ylmidqq4lfiw33en@mail.beuc.net>

Hi Sylvain,

On  Di 18 Jun 2019 22:47:44 CEST, Sylvain Beucler wrote:

Package        : glib2.0
Version        : 2.42.1-1+deb8u1
CVE ID         : CVE-2019-12450
Debian Bug     : 929753

It was discovered that GLib does not properly restrict some file
permissions while a copy operation is in progress; instead, default
permissions are used.

For Debian 8 "Jessie", this problem has been fixed in version
2.42.1-1+deb8u1.

We recommend that you upgrade your glib2.0 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

I wonder, if it would be good to have this upstream patch backportedto jessie's glib2.0, too, to have the file permission stuff complete:


```
From 5e4da714f00f6bfb2ccd6d73d61329c6f3a08429 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Tue, 22 Jan 2019 13:26:31 -0500
Subject: [PATCH] keyfile settings: Use tighter permissions

When creating directories, create them with 700 permissions,
instead of 777.

Closes: #1658
---
 gio/gkeyfilesettingsbackend.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/gio/gkeyfilesettingsbackend.c
+++ b/gio/gkeyfilesettingsbackend.c
@@ -89,7 +89,8 @@

   contents = g_key_file_to_data (kfsb->keyfile, &length, NULL);
   g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE,
-                           G_FILE_CREATE_REPLACE_DESTINATION,
+                           G_FILE_CREATE_REPLACE_DESTINATION |
+                           G_FILE_CREATE_PRIVATE,
                            NULL, NULL, NULL);

   compute_checksum (kfsb->digest, contents, length);
@@ -640,7 +641,7 @@

   kfsb->file = g_file_new_for_path (filename);
   kfsb->dir = g_file_get_parent (kfsb->file);
-  g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
+  g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700);

   kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL);
   kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL);

```

The patch was not explicitly mentioned in the CVE, but I stumbled overit when fixing glib2.0 for wheezy ELTS last month. (Unfortunately, theg_mkdir_with_parents() symbol is not in jessie, for wheezy I skippedthe safe directory creation part).


Greets,
Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgp3QAY3kCO7f.pgp
Description: Digitale PGP-Signatur

Reply to:

Follow-Ups:
- Re: [SECURITY] [DLA 1826-1] glib2.0 security update
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity
Next by Date: [DLA 1835-1] python3.4 security update breaks upgrade (SyntaxError: invalid syntax)
Previous by thread: Re: Not approved Posting to debian-lts-announce
Next by thread: Re: [SECURITY] [DLA 1826-1] glib2.0 security update
Index(es):
- Date
- Thread