[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 1826-1] glib2.0 security update



Hi Mike,

On Mon, Jun 24, 2019 at 08:28:11AM +0000, Mike Gabriel wrote:
> On  Di 18 Jun 2019 22:47:44 CEST, Sylvain Beucler wrote:
> 
> > Package        : glib2.0
> > Version        : 2.42.1-1+deb8u1
> > CVE ID         : CVE-2019-12450
> > Debian Bug     : 929753
> > 
> > It was discovered that GLib does not properly restrict some file
> > permissions while a copy operation is in progress; instead, default
> > permissions are used.
> > 
> > For Debian 8 "Jessie", this problem has been fixed in version
> > 2.42.1-1+deb8u1.
> > 
> > We recommend that you upgrade your glib2.0 packages.
> > 
> > Further information about Debian LTS security advisories, how to apply
> > these updates to your system and frequently asked questions can be
> > found at: https://wiki.debian.org/LTS
> 
> I wonder, if it would be good to have this upstream patch backported to
> jessie's glib2.0, too, to have the file permission stuff complete:
> 
> ```
> From 5e4da714f00f6bfb2ccd6d73d61329c6f3a08429 Mon Sep 17 00:00:00 2001
> From: Matthias Clasen <mclasen@redhat.com>
> Date: Tue, 22 Jan 2019 13:26:31 -0500
> Subject: [PATCH] keyfile settings: Use tighter permissions
> 
> When creating directories, create them with 700 permissions,
> instead of 777.
> 
> Closes: #1658
> ---
>  gio/gkeyfilesettingsbackend.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> --- a/gio/gkeyfilesettingsbackend.c
> +++ b/gio/gkeyfilesettingsbackend.c
> @@ -89,7 +89,8 @@
> 
>    contents = g_key_file_to_data (kfsb->keyfile, &length, NULL);
>    g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE,
> -                           G_FILE_CREATE_REPLACE_DESTINATION,
> +                           G_FILE_CREATE_REPLACE_DESTINATION |
> +                           G_FILE_CREATE_PRIVATE,
>                             NULL, NULL, NULL);
> 
>    compute_checksum (kfsb->digest, contents, length);
> @@ -640,7 +641,7 @@
> 
>    kfsb->file = g_file_new_for_path (filename);
>    kfsb->dir = g_file_get_parent (kfsb->file);
> -  g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
> +  g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700);
> 
>    kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL);
>    kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL);
> 
> ```
> 
> The patch was not explicitly mentioned in the CVE, but I stumbled over it
> when fixing glib2.0 for wheezy ELTS last month. (Unfortunately, the
> g_mkdir_with_parents() symbol is not in jessie, for wheezy I skipped the
> safe directory creation part).

This looks like another vulnerability, not related to copying files
from a non-unix VFS, but to the creation of key/value files and their
directory (mitigated by umask and the strict permissions of e.g. ~/.config).

Do you know if this has a CVE?
Maybe we can ask pkg-gnome-maintainers's point?
(I didn't see this applied in other distros but I may have missed it.)

Feel free to take over btw, I won't be much available until next week :)

Cheers!
Sylvain


Reply to: