Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

glib2.0: CVE-2019-12450

Related Vulnerabilities: CVE-2019-12450  

Source

Debian Bug report logs - #929753
glib2.0: CVE-2019-12450

version graph

Package: src:glib2.0; Maintainer for src:glib2.0 is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 30 May 2019 13:33:02 UTC

Severity: grave

Tags: security, upstream

Found in versions glib2.0/2.50.3-2, glib2.0/2.58.3-1

Fixed in versions glib2.0/2.58.3-2, glib2.0/2.60.3-2

Done: Simon McVittie <smcv@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#929753; Package src:glib2.0. (Thu, 30 May 2019 13:33:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Thu, 30 May 2019 13:33:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: glib2.0: CVE-2019-12450
Date: Thu, 30 May 2019 15:32:14 +0200
Package: glib2.0
Source: glib2.0
Version: 2.58.3-1
Severity: important
Tags: security upstream
Control: found -1 2.50.3-2

Hi,

The following vulnerability was published for glib2.0.

CVE-2019-12450[0]:
| file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
| does not properly restrict file permissions while a copy operation is
| in progress. Instead, default permissions are used.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-12450
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12450
[1] https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174

Regards,
Salvatore

Marked as found in versions glib2.0/2.50.3-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Thu, 30 May 2019 13:33:04 GMT) (full text, mbox, link).

Severity set to 'grave' from 'important' Request was from Moritz Muehlenhoff <jmm@debian.org> to control@bugs.debian.org. (Mon, 03 Jun 2019 20:36:03 GMT) (full text, mbox, link).

Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Tue, 04 Jun 2019 09:06:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 04 Jun 2019 09:06:06 GMT) (full text, mbox, link).

Message #14 received at 929753-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>
To: 929753-close@bugs.debian.org
Subject: Bug#929753: fixed in glib2.0 2.58.3-2
Date: Tue, 04 Jun 2019 09:03:33 +0000
Source: glib2.0
Source-Version: 2.58.3-2

We believe that the bug you reported is fixed in the latest version of
glib2.0, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 929753@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated glib2.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 03 Jun 2019 22:37:45 +0100
Source: glib2.0
Architecture: source
Version: 2.58.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 929753
Changes:
 glib2.0 (2.58.3-2) unstable; urgency=medium
 .
   * Team upload
   * d/p/gfile-Limit-access-to-files-when-copying.patch:
     Backport patch from upstream to ensure files don't temporarily have
     less restrictive permissions during copying
     (Closes: #929753, CVE-2019-12450)
   * d/watch: Only watch for 2.58.x releases now that 2.60.x is out
   * Add cross-reference to #919777 in previous changelog entry
Checksums-Sha1:
 3af0dd8a0f29c7c1dc8b1fa1ae04b4cfc578a705 3243 glib2.0_2.58.3-2.dsc
 09f8bc19004ec3754b6b29c393cb0ddfb7f27439 85572 glib2.0_2.58.3-2.debian.tar.xz
 9ab070526b7b473989bf84014b39dd503eb74367 8052 glib2.0_2.58.3-2_source.buildinfo
Checksums-Sha256:
 8d7614701065044904d574fd32375a44749c78ee4f8bada844b361bde4943799 3243 glib2.0_2.58.3-2.dsc
 2340caec9b079b3395830d0f2b404b359ba64d8fa5b6924eb1e8e14cb5ae3a75 85572 glib2.0_2.58.3-2.debian.tar.xz
 7edb0780f759c8feb0d1589f002c1424310e0ec6746e0789638da114ed83a629 8052 glib2.0_2.58.3-2_source.buildinfo
Files:
 3ecc6bbdddf2ab2a1c85cddf3537f161 3243 libs optional glib2.0_2.58.3-2.dsc
 716acd43a2d83e72e9d6b570328b03a4 85572 libs optional glib2.0_2.58.3-2.debian.tar.xz
 855586b51d01453740baa600a93eeb2d 8052 libs optional glib2.0_2.58.3-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlz2LxAACgkQ4FrhR4+B
TE99NQ//V35MikEIogWdmCtRUBtOQS8Zo/bbUh7Z87k26nsTrcCgaP1uDDAoQ08+
AoQFN6HdOyFSKk1XZU5OhkzRp/kySKqCXz6koAR+cjYsUv6jRh5Xqu1WERQWRisL
+CfKH/s8//quRvSPfcYz9yPIqSGGKmqsL9N7tCIFAAkxxIWblDMjjsdfImzpcVxB
fIfTjDedJgiaFmcpfGU49RyvN1C8bwhhqYf85Q4aUb07bqzevzVu6/gV7FLqQkY/
KQg4xOt6p82Cl7Amja01f0IsZjZHL/5VOhDnEHoLydhZF67xBnUYhvkV07ALvmTR
bsyTwS7lcBC497Pr+EWFQjLMlmamQJo9pdG1f+NpDYhBXufo2iZgQofYPAEHPA/y
Y9EbiftP3GGrzDy+cat0XZbUyPZKTnYrlTHMYvpjMA1t3zTbYeRJezHN2FrOS8v+
o0qFM/VZpZzidS2ny+bstFL8MHd+Tx9SehQkb27+EKP9UOgQBliaGvouQAI7MiSV
W1N1aoVnZL58RmS63ZrhP/vIBuW7ETvBXDOaJMUv/qw+KmBhn/EyEcqyrkt/BQav
IS9t4POVJ2Kmpusz8TQDMAjTNyZm7g2nn1py6JdeOgZSxNQTP6t6qcUV66Duohp2
PPhZsVr4zUqIbSnb17ofSFqcl60v+IuCLfLucb+m7b1nZHu/c4A=
=yL8j
-----END PGP SIGNATURE-----

Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Tue, 04 Jun 2019 15:36:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 04 Jun 2019 15:36:03 GMT) (full text, mbox, link).

Message #19 received at 929753-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>
To: 929753-close@bugs.debian.org
Subject: Bug#929753: fixed in glib2.0 2.60.3-2
Date: Tue, 04 Jun 2019 15:33:33 +0000
Source: glib2.0
Source-Version: 2.60.3-2

We believe that the bug you reported is fixed in the latest version of
glib2.0, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 929753@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated glib2.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 04 Jun 2019 11:03:28 +0100
Source: glib2.0
Architecture: source
Version: 2.60.3-2
Distribution: experimental
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 929753
Changes:
 glib2.0 (2.60.3-2) experimental; urgency=medium
 .
   * Team upload
   * d/p/gfile-Limit-access-to-files-when-copying.patch:
     Backport patch from upstream to ensure files don't temporarily have
     less restrictive permissions during copying
     (Closes: #929753, CVE-2019-12450)
   * Drop d/p/debian/04_homedir_env.patch:
     Remove legacy support for Debian-specific G_HOME environment variable.
     GLib has respected the HOME environment variable in the conventional
     way since wheezy. Only two packages (pygtk and ruby-graphviz) still
     set G_HOME without also setting HOME.
   * Drop d/p/debian/90_gio-modules-multiarch-compat.patch:
     Remove legacy support for loading modules from /usr/lib/gio/modules.
     All the known packages containing GIO modules (dconf, glib-networking
     and gvfs) migrated to /usr/lib/${DEB_HOST_MULTIARCH}/gio/modules
     before wheezy.
   * Register documentation in doc-base via symlinks in /usr/share/doc.
     The doc-base specification requires this, presumably for the benefit
     of tools that export /usr/share/doc via HTTP (see #925200), and
     Lintian 2.12 added a warning for not doing so.
Checksums-Sha1:
 db5867608e782e13b797e0a1701d0e809fd244ff 3260 glib2.0_2.60.3-2.dsc
 94125666a4be7f16085be7c40b96cfed8548d34c 83740 glib2.0_2.60.3-2.debian.tar.xz
 1b0f828ad9deffb32048f8fdc1eb06ee831e5515 8053 glib2.0_2.60.3-2_source.buildinfo
Checksums-Sha256:
 c0eb755ce7689f18a734a0cf2649fe43acfea32dde314709851f3c07d577a530 3260 glib2.0_2.60.3-2.dsc
 d80cc23c5881271d8dbb16b17600b692fe3e2ecba3b95584b33bd366334babd3 83740 glib2.0_2.60.3-2.debian.tar.xz
 c7228aab255452b2e604b10020e7c80fcacc4982aee33a010e237fc5470e6983 8053 glib2.0_2.60.3-2_source.buildinfo
Files:
 284523bd9710de4cdad4a96a94ac849b 3260 libs optional glib2.0_2.60.3-2.dsc
 f772bbd71293a3422ec59296a4a16d1f 83740 libs optional glib2.0_2.60.3-2.debian.tar.xz
 64199326858a4200d7ebc3776843a2b8 8053 libs optional glib2.0_2.60.3-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlz2iLEACgkQ4FrhR4+B
TE+A/A//d+R+GTuromFqZRaM5TLlxCimpeGAz+F0zucY/GtiWkP5MEpyzIT/EtXf
fk1Ndc9xBPLKS8TCkgDOI5mfD+84uoiBTjCugdx58jfavzqOpiLzOhfIc1K+ZRDO
RshHdNVXmaXYwo1Ye+j871iaeV+VKCysr8pEhEStbkwq5O9G/QTByA31h4B+Yd+a
N3l7aKmFCEUeT3b9dQJ2K9hdGhwuXrhPmm4qJOuGmMekubpL9hlviWaJhyE4Xc50
yMeDlKY4/T2neUGbj7PfL+iTfOyRHsh7+vZo3Fqe2NhE82hyEAD815CJUahsV5kp
K2Mx898gfDhSBrZQagqlvA8vhXKzpP26UA0K9xJGvVemCyvAwoFZdclpIX/EPJq+
hUYh8SbT0I7VnN6YA3y5JUC+AE8wfr9dkW/rzOyUqXNXp7xnGg97tiB88AoupfYq
gP8RGOEYFFjcRicjuFda1ltVvBnGrJrM6npaSPeHfKvnpNZF1RElF7JHxwuzxs0A
LrKINrrjq4Ijnt7CwQPW9M9gm7HzoJES8G85n+zCHERGQk96Y5Zu2IjmbyP2LoJ8
rKOhPlrQOiEd4+I+uRD4F/h7Ua6xc3+a2x7fyeRzEU8Wd/sG2+t93GKM6tC8xD2X
caiS+FuNuPrAXxCuYZ3Ul5MiyO4D7ED/hl8wiA0qsuEIEvMjW5o=
=fs2O
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:37:46 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started