Your message dated Wed, 21 Aug 2019 17:47:08 +0000
with message-id <[email protected]>
and subject line Bug#931234: fixed in glib2.0 2.58.3-2+deb10u1
has caused the Debian Bug report #931234,
regarding glib2.0: CVE-2019-13012: keyfile settings backend: Consider
tightening permissions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
931234: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931234
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: glib2.0
Version: 2.58.3-2
Severity: important
Tags: security upstream fixed-upstream
Forwarded: https://gitlab.gnome.org/GNOME/glib/issues/1658
Hi,
The following vulnerability was published for glib2.0.
CVE-2019-13012[0]:
| The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.59.1
| creates directories using g_file_make_directory_with_parents
| (kfsb->dir, NULL, NULL) and files using g_file_replace_contents
| (kfsb->file, contents, length, NULL, FALSE,
| G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it
| does not properly restrict directory (and file) permissions. Instead,
| for directories, 0777 permissions are used; for files, default file
| permissions are used. This is similar to CVE-2019-12450.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-13012
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13012
[1] https://gitlab.gnome.org/GNOME/glib/issues/1658
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: glib2.0
Source-Version: 2.58.3-2+deb10u1
We believe that the bug you reported is fixed in the latest version of
glib2.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated glib2.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 30 Jul 2019 10:41:51 +0100
Source: glib2.0
Architecture: source
Version: 2.58.3-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 931234
Changes:
glib2.0 (2.58.3-2+deb10u1) buster; urgency=medium
.
* Team upload
* d/p/keyfile-settings-Use-tighter-permissions.patch:
Backport patch from upstream 2.60.0 so that the GKeyFile settings
backend creates ~/.config and configuration files with restrictive
permissions (Closes: #931234, CVE-2019-13012)
* d/gbp.conf: Swap branch to debian/buster
Checksums-Sha1:
c3e61629e400062b8bdc9c54f8538f75f0af5fc2 3422 glib2.0_2.58.3-2+deb10u1.dsc
9b7d6d2477ee18e12b3723094855b2e5edf4f127 86012
glib2.0_2.58.3-2+deb10u1.debian.tar.xz
0daf89914eabb3745219b39a6dd407ceaa6b2db2 8130
glib2.0_2.58.3-2+deb10u1_source.buildinfo
Checksums-Sha256:
a1bcfcce21ce7cd6b4bae65c2fee5291a72a38ceab8b9bfe0d120f92755725e2 3422
glib2.0_2.58.3-2+deb10u1.dsc
bc2a0a7f00953e573d38a7d5aec92acf3e7822726f53b8c301e88a07dfc0cffa 86012
glib2.0_2.58.3-2+deb10u1.debian.tar.xz
0635ea59c357b244890986f091527e1f26584e18aa90b9c95b08eba1d1eea34d 8130
glib2.0_2.58.3-2+deb10u1_source.buildinfo
Files:
6e18615dba51886df563e39b001d747e 3422 libs optional
glib2.0_2.58.3-2+deb10u1.dsc
9782e76614cee5b9a9a726f5cc0c4f7e 86012 libs optional
glib2.0_2.58.3-2+deb10u1.debian.tar.xz
9b36254f093ba3e8d072dc83ce77acfa 8130 libs optional
glib2.0_2.58.3-2+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl1H2JUQHHNtY3ZAZGVi
aWFuLm9yZwAKCRDgWuFHj4FMT/yPD/oCKpbeF8hgHkDxFJnCOA8e+VggEZUxiJW6
xpHsJynEY3IYoOWAonlvtJ4hJZgLlXxnT6JT8zIb8Q2FKDFrgjK9Qcw5aSQ8NBu5
gtHyDI6RBG++Mu3UfU+A86UFAloIrw6ZQEY2UTMKY3fZcs4cbN1nM3k9ijeIZhIA
IyzwAdnXhpYhc4chzzSh8OIZ1gMl1iPuaICJH2dn8bYz9UwXBN69wabstdF7pz+K
AiS/ENqPSHDve9gWZZJfEvW2a8uwkaUvCkzKvU+en+l9PdSSMEqg9cV20/Zc+XlZ
Nm1ihPRy5dtCVkj1OIyZ+NFK8X3w68KIfPS9aT6ucEYUxjXKzRT1U2oFv5Sw7qcK
eyPZa0O3j06zFrLiCrD2/grDVTHGHSuwxiXkwqQuJaFzxgelTl+B444b10nvKiRl
Zy+eMHi079Wd6kz6MdVCV0MALzjuoLR4LMDUox7qJfvyQtZ4IOXsPKDAZGwEgcl9
7SKbwyRonxuLM8Cr8gZ1mDEi8ca3qIciUz1uInzi0SUSJVtLFUMv3wxWfzMLbLgU
JmtD05cyCdvjDOwmSydhN7PWr8C3vBFKLxLq0zUKxePmHDlMGjZetV17mx+N73vA
suGc2X8BygfgiE53HnE13Lt7CUCcTVUigm9qFM8DhqqLKpEo+kRFwy8O9q02R+qf
v//k2paqPg==
=vk7g
-----END PGP SIGNATURE-----
--- End Message ---
