Debian Bug report logs -
#931234
glib2.0: CVE-2019-13012: keyfile settings backend: Consider tightening permissions
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#931234
; Package src:glib2.0
.
(Fri, 28 Jun 2019 17:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Fri, 28 Jun 2019 17:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: glib2.0
Version: 2.58.3-2
Severity: important
Tags: security upstream fixed-upstream
Forwarded: https://gitlab.gnome.org/GNOME/glib/issues/1658
Hi,
The following vulnerability was published for glib2.0.
CVE-2019-13012[0]:
| The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.59.1
| creates directories using g_file_make_directory_with_parents
| (kfsb->dir, NULL, NULL) and files using g_file_replace_contents
| (kfsb->file, contents, length, NULL, FALSE,
| G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it
| does not properly restrict directory (and file) permissions. Instead,
| for directories, 0777 permissions are used; for files, default file
| permissions are used. This is similar to CVE-2019-12450.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-13012
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13012
[1] https://gitlab.gnome.org/GNOME/glib/issues/1658
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as fixed in versions glib2.0/2.60.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 28 Jun 2019 17:51:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jun 29 11:20:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.