Your message dated Sat, 27 Jul 2019 11:37:48 +0100
with message-id <[email protected]>
and subject line Re: Bug#931234: glib2.0: CVE-2019-13012: keyfile settings
backend: Consider tightening permissions
has caused the Debian Bug report #931234,
regarding glib2.0: CVE-2019-13012: keyfile settings backend: Consider
tightening permissions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
931234: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931234
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: glib2.0
Version: 2.58.3-2
Severity: important
Tags: security upstream fixed-upstream
Forwarded: https://gitlab.gnome.org/GNOME/glib/issues/1658
Hi,
The following vulnerability was published for glib2.0.
CVE-2019-13012[0]:
| The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.59.1
| creates directories using g_file_make_directory_with_parents
| (kfsb->dir, NULL, NULL) and files using g_file_replace_contents
| (kfsb->file, contents, length, NULL, FALSE,
| G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it
| does not properly restrict directory (and file) permissions. Instead,
| for directories, 0777 permissions are used; for files, default file
| permissions are used. This is similar to CVE-2019-12450.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-13012
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13012
[1] https://gitlab.gnome.org/GNOME/glib/issues/1658
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Version: 2.60.0-1
On Fri, 28 Jun 2019 at 19:41:46 +0200, Salvatore Bonaccorso wrote:
> Please adjust the affected versions in the BTS as needed.
This was already fixed in unstable. I'm fixing the FTBFS now so that the
fixed version can migrate to testing.
Mitigations:
* The keyfile settings backend was added in 2.25.x, but would not
be automatically used via the GSettings extension point until 2.59.1,
so it would only be used by apps that explicitly use it. There are a few
such apps but they are a minority:
https://codesearch.debian.net/search?q=g_keyfile_settings_backend_new&perpkg=1
Tracker is probably the most interesting/dangerous/widely installed.
* If some other software, such as dconf, has already created the
freedesktop.org per-user configuration directory ($XDG_CONFIG_HOME or
~/.config), then it will usually have the 0700 permissions required
by the freedesktop.org Base Directory spec, preventing other users
from accessing the settings.
* I think the umask is respected, so the vulnerability report says 0777
but in practice the permissions will usually be 0755 or 0750.
Security team: for stable, bearing those mitigations in mind, do you
want to do a DSA or is this point-release material?
> The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.59.1
> [has this vulnerability]
FYI, this is misleading: 2.59.1, 2.59.2 and 2.59.3 appear to have been
vulnerable too, and 2.60.0 was the first fixed upstream version (but
nobody should use 2.59.x without planning to upgrade to 2.60.0 anyway,
because GNOME has an odd/even unstable/stable branching model).
smcv
--- End Message ---
