Bug#934741: stretch-pu: package glib2.0/2.50.3-2+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch d-i
User: release.debian.org@packages.debian.org
Usertags: pu
glib2.0 in stretch has some minor security vulnerabilities for which
the security team have declined to issue DSAs: the most recent is also
pending review as a buster update (#933535) and the others were already
fixed before the buster release. I've prepared a backport of the fixes,
which is very similar to the delta between jessie and jessie-lts.
I have done some basic testing of this proposed update in a GNOME virtual
machine, but I no longer have physical access to any stretch desktops
that are in real use (the only stretch machines I'm responsible for
will be upgraded to buster when I next get physical access to them)
so additional testing by stretch users would be welcome, particularly
by users of GTK-based desktops like GNOME and XFCE. Test binaries are
available here: https://people.debian.org/~smcv/201908/
As with #933535, glib2.0 builds udebs for the graphical installer, so this
will need a d-i ack.
Thanks,
smcv
diffstat for glib2.0-2.50.3 glib2.0-2.50.3
changelog | 22 +
gbp.conf | 17 +
patches/gfile-Limit-access-to-files-when-copying.patch | 54 ++++
patches/gmarkup-Avoid-reading-off-the-end-of-a-buffer-when-non-nu.patch | 115 ++++++++++
patches/gmarkup-Fix-crash-in-error-handling-path-for-closing-elem.patch | 78 ++++++
patches/gmarkup-Fix-unvalidated-UTF-8-read-in-markup-parsing-erro.patch | 86 +++++++
patches/keyfile-settings-Use-tighter-permissions.patch | 48 ++++
patches/series | 5
8 files changed, 425 insertions(+)
diff -Nru glib2.0-2.50.3/debian/changelog glib2.0-2.50.3/debian/changelog
--- glib2.0-2.50.3/debian/changelog 2017-03-19 23:21:57.000000000 +0000
+++ glib2.0-2.50.3/debian/changelog 2019-08-13 10:46:20.000000000 +0100
@@ -1,3 +1,25 @@
+glib2.0 (2.50.3-2+deb9u1) stretch; urgency=medium
+
+ * Team upload
+ * d/gbp.conf: Add GNOME team configuration
+ * d/p/gfile-Limit-access-to-files-when-copying.patch:
+ When copying files, give the temporary partial copy of the file
+ suitably restrictive permissions (Closes: #929753; CVE-2019-12450)
+ * d/p/keyfile-settings-Use-tighter-permissions.patch:
+ Create directory and file with restrictive permissions when using the
+ GKeyfileSettingsBackend. Mitigation: in this version of GLib, the
+ GKeyfileSettingsBackend can only be used explicitly by code, and is
+ never selected automatically. (Closes: #931234; CVE-2019-13012)
+ * d/p/gmarkup-Fix-unvalidated-UTF-8-read-in-markup-parsing-erro.patch,
+ d/p/gmarkup-Avoid-reading-off-the-end-of-a-buffer-when-non-nu.patch:
+ Avoid buffer read overrun when formatting error messages for invalid
+ UTF-8 in GMarkup (CVE-2018-16429)
+ * d/p/gmarkup-Fix-crash-in-error-handling-path-for-closing-elem.patch:
+ Avoid NULL dereference when parsing invalid GMarkup with a malformed
+ closing tag not paired with an opening tag (CVE-2018-16429)
+
+ -- Simon McVittie <smcv@debian.org> Tue, 13 Aug 2019 10:46:20 +0100
+
glib2.0 (2.50.3-2) unstable; urgency=medium
* debian/patches/tests-gdatetime-Use-a-real-rather-than-invented-time.patch:
diff -Nru glib2.0-2.50.3/debian/gbp.conf glib2.0-2.50.3/debian/gbp.conf
--- glib2.0-2.50.3/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100
+++ glib2.0-2.50.3/debian/gbp.conf 2019-08-13 10:46:20.000000000 +0100
@@ -0,0 +1,17 @@
+[DEFAULT]
+pristine-tar = True
+debian-branch = debian/stretch
+upstream-branch = upstream/2.50.x
+upstream-vcs-tag = %(version)s
+
+[buildpackage]
+sign-tags = True
+
+[dch]
+multimaint-merge = True
+
+[import-orig]
+postimport = dch -v%(version)s New upstream release; git add debian/changelog; debcommit
+
+[pq]
+patch-numbers = False
diff -Nru glib2.0-2.50.3/debian/patches/gfile-Limit-access-to-files-when-copying.patch glib2.0-2.50.3/debian/patches/gfile-Limit-access-to-files-when-copying.patch
--- glib2.0-2.50.3/debian/patches/gfile-Limit-access-to-files-when-copying.patch 1970-01-01 01:00:00.000000000 +0100
+++ glib2.0-2.50.3/debian/patches/gfile-Limit-access-to-files-when-copying.patch 2019-08-13 10:46:20.000000000 +0100
@@ -0,0 +1,54 @@
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 23 May 2019 10:41:53 +0200
+Subject: gfile: Limit access to files when copying
+
+file_copy_fallback creates new files with default permissions and
+set the correct permissions after the operation is finished. This
+might cause that the files can be accessible by more users during
+the operation than expected. Use G_FILE_CREATE_PRIVATE for the new
+files to limit access to those files.
+
+Bug: https://gitlab.gnome.org/GNOME/glib/merge_requests/876
+Bug-CVE: CVE-2019-12450
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929753
+Origin: upstream, 2.61.1, commit:d8f8f4d637ce43f8699ba94c9b7648beda0ca174
+---
+ gio/gfile.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/gio/gfile.c b/gio/gfile.c
+index 851213e..c085fb1 100644
+--- a/gio/gfile.c
++++ b/gio/gfile.c
+@@ -3154,12 +3154,12 @@ file_copy_fallback (GFile *source,
+ out = (GOutputStream*)_g_local_file_output_stream_replace (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
+ FALSE, NULL,
+ flags & G_FILE_COPY_BACKUP,
+- G_FILE_CREATE_REPLACE_DESTINATION,
+- info,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE, info,
+ cancellable, error);
+ else
+ out = (GOutputStream*)_g_local_file_output_stream_create (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
+- FALSE, 0, info,
++ FALSE, G_FILE_CREATE_PRIVATE, info,
+ cancellable, error);
+ }
+ else if (flags & G_FILE_COPY_OVERWRITE)
+@@ -3167,12 +3167,13 @@ file_copy_fallback (GFile *source,
+ out = (GOutputStream *)g_file_replace (destination,
+ NULL,
+ flags & G_FILE_COPY_BACKUP,
+- G_FILE_CREATE_REPLACE_DESTINATION,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE,
+ cancellable, error);
+ }
+ else
+ {
+- out = (GOutputStream *)g_file_create (destination, 0, cancellable, error);
++ out = (GOutputStream *)g_file_create (destination, G_FILE_CREATE_PRIVATE, cancellable, error);
+ }
+
+ if (!out)
diff -Nru glib2.0-2.50.3/debian/patches/gmarkup-Avoid-reading-off-the-end-of-a-buffer-when-non-nu.patch glib2.0-2.50.3/debian/patches/gmarkup-Avoid-reading-off-the-end-of-a-buffer-when-non-nu.patch
--- glib2.0-2.50.3/debian/patches/gmarkup-Avoid-reading-off-the-end-of-a-buffer-when-non-nu.patch 1970-01-01 01:00:00.000000000 +0100
+++ glib2.0-2.50.3/debian/patches/gmarkup-Avoid-reading-off-the-end-of-a-buffer-when-non-nu.patch 2019-08-13 10:46:20.000000000 +0100
@@ -0,0 +1,115 @@
+From: Philip Withnall <withnall@endlessm.com>
+Date: Fri, 26 Oct 2018 23:06:37 +1300
+Subject: gmarkup: Avoid reading off the end of a buffer when
+ non-nul-terminated
+
+When extracting a UTF-8 character to put in an error message on parse
+failure, pass the remaining buffer length to utf8_str() to avoid it
+running off the end of the input buffer. It previously assumed that the
+buffer was nul-terminated, which was the case in all the tests until
+now.
+
+A following commit will add test coverage for this.
+
+Signed-off-by: Philip Withnall <withnall@endlessm.com>
+(cherry picked from commit 8cfe53f081f8147cd3c36aebf64c635e04d3ab09)
+
+Origin: backport
+---
+ glib/gmarkup.c | 30 ++++++++++++++++++++----------
+ 1 file changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/glib/gmarkup.c b/glib/gmarkup.c
+index 57199a5..0b8f521 100644
+--- a/glib/gmarkup.c
++++ b/glib/gmarkup.c
+@@ -563,12 +563,14 @@ char_str (gunichar c,
+ * emitting it as hex escapes. */
+ static gchar*
+ utf8_str (const gchar *utf8,
++ gsize max_len,
+ gchar *buf)
+ {
+- gunichar c = g_utf8_get_char_validated (utf8, -1);
++ gunichar c = g_utf8_get_char_validated (utf8, max_len);
+ if (c == (gunichar) -1 || c == (gunichar) -2)
+ {
+- gchar *temp = g_strdup_printf ("\\x%02x", (guint)(guchar)*utf8);
++ guchar ch = (max_len > 0) ? (guchar) *utf8 : 0;
++ gchar *temp = g_strdup_printf ("\\x%02x", (guint) ch);
+ memset (buf, 0, 8);
+ memcpy (buf, temp, strlen (temp));
+ g_free (temp);
+@@ -1223,7 +1225,8 @@ g_markup_parse_context_parse (GMarkupParseContext *context,
+ _("'%s' is not a valid character following "
+ "a '<' character; it may not begin an "
+ "element name"),
+- utf8_str (context->iter, buf));
++ utf8_str (context->iter,
++ context->current_text_end - context->iter, buf));
+ }
+ break;
+
+@@ -1264,7 +1267,8 @@ g_markup_parse_context_parse (GMarkupParseContext *context,
+ G_MARKUP_ERROR_PARSE,
+ _("Odd character '%s', expected a '>' character "
+ "to end the empty-element tag '%s'"),
+- utf8_str (context->iter, buf),
++ utf8_str (context->iter,
++ context->current_text_end - context->iter, buf),
+ current_element (context));
+ }
+ break;
+@@ -1345,7 +1349,8 @@ g_markup_parse_context_parse (GMarkupParseContext *context,
+ G_MARKUP_ERROR_PARSE,
+ _("Odd character '%s', expected a '=' after "
+ "attribute name '%s' of element '%s'"),
+- utf8_str (context->iter, buf),
++ utf8_str (context->iter,
++ context->current_text_end - context->iter, buf),
+ current_attribute (context),
+ current_element (context));
+
+@@ -1389,7 +1394,8 @@ g_markup_parse_context_parse (GMarkupParseContext *context,
+ "element '%s', or optionally an attribute; "
+ "perhaps you used an invalid character in "
+ "an attribute name"),
+- utf8_str (context->iter, buf),
++ utf8_str (context->iter,
++ context->current_text_end - context->iter, buf),
+ current_element (context));
+ }
+
+@@ -1431,7 +1437,8 @@ g_markup_parse_context_parse (GMarkupParseContext *context,
+ _("Odd character '%s', expected an open quote mark "
+ "after the equals sign when giving value for "
+ "attribute '%s' of element '%s'"),
+- utf8_str (context->iter, buf),
++ utf8_str (context->iter,
++ context->current_text_end - context->iter, buf),
+ current_attribute (context),
+ current_element (context));
+ }
+@@ -1564,8 +1571,10 @@ g_markup_parse_context_parse (GMarkupParseContext *context,
+ _("'%s' is not a valid character following "
+ "the characters '</'; '%s' may not begin an "
+ "element name"),
+- utf8_str (context->iter, buf),
+- utf8_str (context->iter, buf));
++ utf8_str (context->iter,
++ context->current_text_end - context->iter, buf),
++ utf8_str (context->iter,
++ context->current_text_end - context->iter, buf));
+ }
+ break;
+
+@@ -1600,7 +1609,8 @@ g_markup_parse_context_parse (GMarkupParseContext *context,
+ _("'%s' is not a valid character following "
+ "the close element name '%s'; the allowed "
+ "character is '>'"),
+- utf8_str (context->iter, buf),
++ utf8_str (context->iter,
++ context->current_text_end - context->iter, buf),
+ close_name->str);
+ }
+ else if (context->tag_stack == NULL)
diff -Nru glib2.0-2.50.3/debian/patches/gmarkup-Fix-crash-in-error-handling-path-for-closing-elem.patch glib2.0-2.50.3/debian/patches/gmarkup-Fix-crash-in-error-handling-path-for-closing-elem.patch
--- glib2.0-2.50.3/debian/patches/gmarkup-Fix-crash-in-error-handling-path-for-closing-elem.patch 1970-01-01 01:00:00.000000000 +0100
+++ glib2.0-2.50.3/debian/patches/gmarkup-Fix-crash-in-error-handling-path-for-closing-elem.patch 2019-08-13 10:46:20.000000000 +0100
@@ -0,0 +1,78 @@
+From: Philip Withnall <withnall@endlessm.com>
+Date: Mon, 30 Jul 2018 18:33:39 +0100
+Subject: gmarkup: Fix crash in error handling path for closing elements
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+If something which looks like a closing tag is left unfinished, but
+isn’t paired to an opening tag in the document, the error handling code
+would do a null pointer dereference. Avoid that, at the cost of
+introducing a new translatable error message.
+
+Includes a test case, courtesy of pdknsk.
+
+Signed-off-by: Philip Withnall <withnall@endlessm.com>
+
+Bug: https://gitlab.gnome.org/GNOME/glib/issues/1364
+Bug: https://gitlab.gnome.org/GNOME/glib/issues/1461
+Origin: backport, commit:fccef3cc822af74699cca84cd202719ae61ca3b9
+CVE: CVE-2018-16428
+---
+ glib/gmarkup.c | 11 ++++++++---
+ glib/tests/Makefile.am | 1 +
+ glib/tests/markups/fail-51.expected | 1 +
+ glib/tests/markups/fail-51.gmarkup | 1 +
+ 4 files changed, 11 insertions(+), 3 deletions(-)
+ create mode 100644 glib/tests/markups/fail-51.expected
+ create mode 100644 glib/tests/markups/fail-51.gmarkup
+
+diff --git a/glib/gmarkup.c b/glib/gmarkup.c
+index 0b8f521..f67b0c4 100644
+--- a/glib/gmarkup.c
++++ b/glib/gmarkup.c
+@@ -1855,9 +1855,14 @@ g_markup_parse_context_end_parse (GMarkupParseContext *context,
+ case STATE_AFTER_CLOSE_TAG_SLASH:
+ case STATE_INSIDE_CLOSE_TAG_NAME:
+ case STATE_AFTER_CLOSE_TAG_NAME:
+- set_error (context, error, G_MARKUP_ERROR_PARSE,
+- _("Document ended unexpectedly inside the close tag for "
+- "element '%s'"), current_element (context));
++ if (context->tag_stack != NULL)
++ set_error (context, error, G_MARKUP_ERROR_PARSE,
++ _("Document ended unexpectedly inside the close tag for "
++ "element '%s'"), current_element (context));
++ else
++ set_error (context, error, G_MARKUP_ERROR_PARSE,
++ _("Document ended unexpectedly inside the close tag for an "
++ "unopened element"));
+ break;
+
+ case STATE_INSIDE_PASSTHROUGH:
+diff --git a/glib/tests/Makefile.am b/glib/tests/Makefile.am
+index 6cdcc33..99e6f2d 100644
+--- a/glib/tests/Makefile.am
++++ b/glib/tests/Makefile.am
+@@ -155,6 +155,7 @@ markup_tests = \
+ fail-36 fail-37 fail-38 fail-39 fail-40 \
+ fail-41 fail-42 fail-43 fail-44 fail-45 \
+ fail-46 fail-47 fail-48 fail-49 fail-50 \
++ fail-51 \
+ valid-1 valid-2 valid-3 valid-4 valid-5 \
+ valid-6 valid-7 valid-8 valid-9 valid-10 \
+ valid-11 valid-12 valid-13 valid-14 valid-15 \
+diff --git a/glib/tests/markups/fail-51.expected b/glib/tests/markups/fail-51.expected
+new file mode 100644
+index 0000000..1c7e8d4
+--- /dev/null
++++ b/glib/tests/markups/fail-51.expected
+@@ -0,0 +1 @@
++ERROR Error on line 1 char 5: Document ended unexpectedly inside the close tag for an unopened element
+diff --git a/glib/tests/markups/fail-51.gmarkup b/glib/tests/markups/fail-51.gmarkup
+new file mode 100644
+index 0000000..860e1e6
+--- /dev/null
++++ b/glib/tests/markups/fail-51.gmarkup
+@@ -0,0 +1 @@
++</0<
+\ No newline at end of file
diff -Nru glib2.0-2.50.3/debian/patches/gmarkup-Fix-unvalidated-UTF-8-read-in-markup-parsing-erro.patch glib2.0-2.50.3/debian/patches/gmarkup-Fix-unvalidated-UTF-8-read-in-markup-parsing-erro.patch
--- glib2.0-2.50.3/debian/patches/gmarkup-Fix-unvalidated-UTF-8-read-in-markup-parsing-erro.patch 1970-01-01 01:00:00.000000000 +0100
+++ glib2.0-2.50.3/debian/patches/gmarkup-Fix-unvalidated-UTF-8-read-in-markup-parsing-erro.patch 2019-08-13 10:46:20.000000000 +0100
@@ -0,0 +1,86 @@
+From: Philip Withnall <withnall@endlessm.com>
+Date: Mon, 30 Jul 2018 18:10:25 +0100
+Subject: gmarkup: Fix unvalidated UTF-8 read in markup parsing error paths
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+When formatting the error messages for markup parsing errors, the parser
+was unconditionally reading a UTF-8 character from the input buffer —
+but the buffer might end with a partial code sequence, resulting in
+reading off the end of the buffer by up to three bytes.
+
+Fix this and add a test case, courtesy of pdknsk.
+
+Signed-off-by: Philip Withnall <withnall@endlessm.com>
+
+Bug: https://gitlab.gnome.org/GNOME/glib/issues/1361
+Bug: https://gitlab.gnome.org/GNOME/glib/issues/1462
+Origin: backport, commit:cec71705406f0b2790422f0c1aa0ff3b4b464b1b
+CVE: CVE-2018-16429
+---
+ glib/gmarkup.c | 14 +++++++++++++-
+ glib/tests/Makefile.am | 2 +-
+ glib/tests/markups/fail-50.expected | 1 +
+ glib/tests/markups/fail-50.gmarkup | 1 +
+ 4 files changed, 16 insertions(+), 2 deletions(-)
+ create mode 100644 glib/tests/markups/fail-50.expected
+ create mode 100644 glib/tests/markups/fail-50.gmarkup
+
+diff --git a/glib/gmarkup.c b/glib/gmarkup.c
+index 7103d48..57199a5 100644
+--- a/glib/gmarkup.c
++++ b/glib/gmarkup.c
+@@ -558,11 +558,23 @@ char_str (gunichar c,
+ return buf;
+ }
+
++/* Format the next UTF-8 character as a gchar* for printing in error output
++ * when we encounter a syntax error. This correctly handles invalid UTF-8,
++ * emitting it as hex escapes. */
+ static gchar*
+ utf8_str (const gchar *utf8,
+ gchar *buf)
+ {
+- char_str (g_utf8_get_char (utf8), buf);
++ gunichar c = g_utf8_get_char_validated (utf8, -1);
++ if (c == (gunichar) -1 || c == (gunichar) -2)
++ {
++ gchar *temp = g_strdup_printf ("\\x%02x", (guint)(guchar)*utf8);
++ memset (buf, 0, 8);
++ memcpy (buf, temp, strlen (temp));
++ g_free (temp);
++ }
++ else
++ char_str (c, buf);
+ return buf;
+ }
+
+diff --git a/glib/tests/Makefile.am b/glib/tests/Makefile.am
+index a6bcef0..6cdcc33 100644
+--- a/glib/tests/Makefile.am
++++ b/glib/tests/Makefile.am
+@@ -154,7 +154,7 @@ markup_tests = \
+ fail-31 fail-32 fail-33 fail-34 fail-35 \
+ fail-36 fail-37 fail-38 fail-39 fail-40 \
+ fail-41 fail-42 fail-43 fail-44 fail-45 \
+- fail-46 fail-47 fail-48 fail-49 \
++ fail-46 fail-47 fail-48 fail-49 fail-50 \
+ valid-1 valid-2 valid-3 valid-4 valid-5 \
+ valid-6 valid-7 valid-8 valid-9 valid-10 \
+ valid-11 valid-12 valid-13 valid-14 valid-15 \
+diff --git a/glib/tests/markups/fail-50.expected b/glib/tests/markups/fail-50.expected
+new file mode 100644
+index 0000000..e0a11e7
+--- /dev/null
++++ b/glib/tests/markups/fail-50.expected
+@@ -0,0 +1 @@
++ERROR Error on line 1 char 5: Odd character '\xfc', expected an open quote mark after the equals sign when giving value for attribute 'r' of element ''
+diff --git a/glib/tests/markups/fail-50.gmarkup b/glib/tests/markups/fail-50.gmarkup
+new file mode 100644
+index 0000000..f110f15
+--- /dev/null
++++ b/glib/tests/markups/fail-50.gmarkup
+@@ -0,0 +1 @@
++< r=�o newline at end of file
diff -Nru glib2.0-2.50.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch glib2.0-2.50.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch
--- glib2.0-2.50.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch 1970-01-01 01:00:00.000000000 +0100
+++ glib2.0-2.50.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch 2019-08-13 10:46:20.000000000 +0100
@@ -0,0 +1,48 @@
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Tue, 22 Jan 2019 13:26:31 -0500
+Subject: keyfile settings: Use tighter permissions
+
+When creating directories, create them with 700 permissions,
+instead of 777.
+
+Bug: https://gitlab.gnome.org/GNOME/glib/issues/1658
+Origin: backport, 2.60.0, commit:5e4da714f00f6bfb2ccd6d73d61329c6f3a08429
+CVE: CVE-2019-13012
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931234
+---
+ gio/gkeyfilesettingsbackend.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
+index 8eb7681..b87ff96 100644
+--- a/gio/gkeyfilesettingsbackend.c
++++ b/gio/gkeyfilesettingsbackend.c
+@@ -89,7 +89,8 @@ g_keyfile_settings_backend_keyfile_write (GKeyfileSettingsBackend *kfsb)
+
+ contents = g_key_file_to_data (kfsb->keyfile, &length, NULL);
+ g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE,
+- G_FILE_CREATE_REPLACE_DESTINATION,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE,
+ NULL, NULL, NULL);
+
+ compute_checksum (kfsb->digest, contents, length);
+@@ -627,6 +628,7 @@ g_keyfile_settings_backend_new (const gchar *filename,
+ const gchar *root_group)
+ {
+ GKeyfileSettingsBackend *kfsb;
++ char *dir;
+
+ g_return_val_if_fail (filename != NULL, NULL);
+ g_return_val_if_fail (root_path != NULL, NULL);
+@@ -640,7 +642,9 @@ g_keyfile_settings_backend_new (const gchar *filename,
+
+ kfsb->file = g_file_new_for_path (filename);
+ kfsb->dir = g_file_get_parent (kfsb->file);
+- g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
++ dir = g_file_get_path (kfsb->dir);
++ g_mkdir_with_parents (dir, 0700);
++ g_free (dir);
+
+ kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL);
+ kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL);
diff -Nru glib2.0-2.50.3/debian/patches/series glib2.0-2.50.3/debian/patches/series
--- glib2.0-2.50.3/debian/patches/series 2017-03-19 23:06:44.000000000 +0000
+++ glib2.0-2.50.3/debian/patches/series 2019-08-13 10:46:20.000000000 +0100
@@ -13,3 +13,8 @@
skip-broken-timer-test.patch
0001-Fix-trashing-on-overlayfs.patch
tests-gdatetime-Use-a-real-rather-than-invented-time.patch
+gfile-Limit-access-to-files-when-copying.patch
+keyfile-settings-Use-tighter-permissions.patch
+gmarkup-Fix-unvalidated-UTF-8-read-in-markup-parsing-erro.patch
+gmarkup-Avoid-reading-off-the-end-of-a-buffer-when-non-nu.patch
+gmarkup-Fix-crash-in-error-handling-path-for-closing-elem.patch
Reply to: