Re: [SECURITY] [DLA 1826-1] glib2.0 security update
Hi, On Mi 26 Jun 2019 14:55:46 CEST, Sylvain Beucler wrote: Hi Mike, On Mon, Jun 24, 2019 at 08:28:11AM +, Mike Gabriel wrote: On Di 18 Jun 2019 22:47:44 CEST, Sylvain Beucler wrote: > Package: glib2.0 > Version: 2.42.1-1+deb8u1 > CVE ID : CVE-2019-12450 > Debian Bug : 929753 > > It was discovered that GLib does not properly restrict some file > permissions while a copy operation is in progress; instead, default > permissions are used. > > For Debian 8 "Jessie", this problem has been fixed in version > 2.42.1-1+deb8u1. > > We recommend that you upgrade your glib2.0 packages. > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS I wonder, if it would be good to have this upstream patch backported to jessie's glib2.0, too, to have the file permission stuff complete: ``` From 5e4da714f00f6bfb2ccd6d73d61329c6f3a08429 Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Tue, 22 Jan 2019 13:26:31 -0500 Subject: [PATCH] keyfile settings: Use tighter permissions When creating directories, create them with 700 permissions, instead of 777. Closes: #1658 --- gio/gkeyfilesettingsbackend.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/gio/gkeyfilesettingsbackend.c +++ b/gio/gkeyfilesettingsbackend.c @@ -89,7 +89,8 @@ contents = g_key_file_to_data (kfsb->keyfile, , NULL); g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, - G_FILE_CREATE_REPLACE_DESTINATION, + G_FILE_CREATE_REPLACE_DESTINATION | + G_FILE_CREATE_PRIVATE, NULL, NULL, NULL); compute_checksum (kfsb->digest, contents, length); @@ -640,7 +641,7 @@ kfsb->file = g_file_new_for_path (filename); kfsb->dir = g_file_get_parent (kfsb->file); - g_file_make_directory_with_parents (kfsb->dir, NULL, NULL); + g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700); kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL); kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL); ``` The patch was not explicitly mentioned in the CVE, but I stumbled over it when fixing glib2.0 for wheezy ELTS last month. (Unfortunately, the g_mkdir_with_parents() symbol is not in jessie, for wheezy I skipped the safe directory creation part). This looks like another vulnerability, not related to copying files from a non-unix VFS, but to the creation of key/value files and their directory (mitigated by umask and the strict permissions of e.g. ~/.config). Do you know if this has a CVE? Maybe we can ask pkg-gnome-maintainers's point? (I didn't see this applied in other distros but I may have missed it.) Feel free to take over btw, I won't be much available until next week :) I just requested a CVE for this from Mitre. Request ist now waiting for review on their side... Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp7cZfK91hbu.pgp Description: Digitale PGP-Signatur
Re: [SECURITY] [DLA 1826-1] glib2.0 security update
Hi, On Mi 26 Jun 2019 14:55:46 CEST, Sylvain Beucler wrote: Hi Mike, On Mon, Jun 24, 2019 at 08:28:11AM +, Mike Gabriel wrote: On Di 18 Jun 2019 22:47:44 CEST, Sylvain Beucler wrote: > Package: glib2.0 > Version: 2.42.1-1+deb8u1 > CVE ID : CVE-2019-12450 > Debian Bug : 929753 > > It was discovered that GLib does not properly restrict some file > permissions while a copy operation is in progress; instead, default > permissions are used. > > For Debian 8 "Jessie", this problem has been fixed in version > 2.42.1-1+deb8u1. > > We recommend that you upgrade your glib2.0 packages. > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS I wonder, if it would be good to have this upstream patch backported to jessie's glib2.0, too, to have the file permission stuff complete: ``` From 5e4da714f00f6bfb2ccd6d73d61329c6f3a08429 Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Tue, 22 Jan 2019 13:26:31 -0500 Subject: [PATCH] keyfile settings: Use tighter permissions When creating directories, create them with 700 permissions, instead of 777. Closes: #1658 --- gio/gkeyfilesettingsbackend.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/gio/gkeyfilesettingsbackend.c +++ b/gio/gkeyfilesettingsbackend.c @@ -89,7 +89,8 @@ contents = g_key_file_to_data (kfsb->keyfile, , NULL); g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, - G_FILE_CREATE_REPLACE_DESTINATION, + G_FILE_CREATE_REPLACE_DESTINATION | + G_FILE_CREATE_PRIVATE, NULL, NULL, NULL); compute_checksum (kfsb->digest, contents, length); @@ -640,7 +641,7 @@ kfsb->file = g_file_new_for_path (filename); kfsb->dir = g_file_get_parent (kfsb->file); - g_file_make_directory_with_parents (kfsb->dir, NULL, NULL); + g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700); kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL); kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL); ``` The patch was not explicitly mentioned in the CVE, but I stumbled over it when fixing glib2.0 for wheezy ELTS last month. (Unfortunately, the g_mkdir_with_parents() symbol is not in jessie, for wheezy I skipped the safe directory creation part). This looks like another vulnerability, not related to copying files from a non-unix VFS, but to the creation of key/value files and their directory (mitigated by umask and the strict permissions of e.g. ~/.config). Yes, exactly. Do you know if this has a CVE? AFAIK, it does not have one. Maybe we can ask pkg-gnome-maintainers's point? (I didn't see this applied in other distros but I may have missed it.) I'll ping people. OK. Feel free to take over btw, I won't be much available until next week :) Ok. Will do. Thanks+Greets. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp98GLA6PYQo.pgp Description: Digitale PGP-Signatur
Re: [SECURITY] [DLA 1826-1] glib2.0 security update
Hi Mike, On Mon, Jun 24, 2019 at 08:28:11AM +, Mike Gabriel wrote: > On Di 18 Jun 2019 22:47:44 CEST, Sylvain Beucler wrote: > > > Package: glib2.0 > > Version: 2.42.1-1+deb8u1 > > CVE ID : CVE-2019-12450 > > Debian Bug : 929753 > > > > It was discovered that GLib does not properly restrict some file > > permissions while a copy operation is in progress; instead, default > > permissions are used. > > > > For Debian 8 "Jessie", this problem has been fixed in version > > 2.42.1-1+deb8u1. > > > > We recommend that you upgrade your glib2.0 packages. > > > > Further information about Debian LTS security advisories, how to apply > > these updates to your system and frequently asked questions can be > > found at: https://wiki.debian.org/LTS > > I wonder, if it would be good to have this upstream patch backported to > jessie's glib2.0, too, to have the file permission stuff complete: > > ``` > From 5e4da714f00f6bfb2ccd6d73d61329c6f3a08429 Mon Sep 17 00:00:00 2001 > From: Matthias Clasen > Date: Tue, 22 Jan 2019 13:26:31 -0500 > Subject: [PATCH] keyfile settings: Use tighter permissions > > When creating directories, create them with 700 permissions, > instead of 777. > > Closes: #1658 > --- > gio/gkeyfilesettingsbackend.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > --- a/gio/gkeyfilesettingsbackend.c > +++ b/gio/gkeyfilesettingsbackend.c > @@ -89,7 +89,8 @@ > >contents = g_key_file_to_data (kfsb->keyfile, , NULL); >g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, > - G_FILE_CREATE_REPLACE_DESTINATION, > + G_FILE_CREATE_REPLACE_DESTINATION | > + G_FILE_CREATE_PRIVATE, > NULL, NULL, NULL); > >compute_checksum (kfsb->digest, contents, length); > @@ -640,7 +641,7 @@ > >kfsb->file = g_file_new_for_path (filename); >kfsb->dir = g_file_get_parent (kfsb->file); > - g_file_make_directory_with_parents (kfsb->dir, NULL, NULL); > + g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700); > >kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL); >kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL); > > ``` > > The patch was not explicitly mentioned in the CVE, but I stumbled over it > when fixing glib2.0 for wheezy ELTS last month. (Unfortunately, the > g_mkdir_with_parents() symbol is not in jessie, for wheezy I skipped the > safe directory creation part). This looks like another vulnerability, not related to copying files from a non-unix VFS, but to the creation of key/value files and their directory (mitigated by umask and the strict permissions of e.g. ~/.config). Do you know if this has a CVE? Maybe we can ask pkg-gnome-maintainers's point? (I didn't see this applied in other distros but I may have missed it.) Feel free to take over btw, I won't be much available until next week :) Cheers! Sylvain
Re: [SECURITY] [DLA 1826-1] glib2.0 security update
Hi Sylvain, On Di 18 Jun 2019 22:47:44 CEST, Sylvain Beucler wrote: Package: glib2.0 Version: 2.42.1-1+deb8u1 CVE ID : CVE-2019-12450 Debian Bug : 929753 It was discovered that GLib does not properly restrict some file permissions while a copy operation is in progress; instead, default permissions are used. For Debian 8 "Jessie", this problem has been fixed in version 2.42.1-1+deb8u1. We recommend that you upgrade your glib2.0 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS I wonder, if it would be good to have this upstream patch backported to jessie's glib2.0, too, to have the file permission stuff complete: ``` From 5e4da714f00f6bfb2ccd6d73d61329c6f3a08429 Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Tue, 22 Jan 2019 13:26:31 -0500 Subject: [PATCH] keyfile settings: Use tighter permissions When creating directories, create them with 700 permissions, instead of 777. Closes: #1658 --- gio/gkeyfilesettingsbackend.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/gio/gkeyfilesettingsbackend.c +++ b/gio/gkeyfilesettingsbackend.c @@ -89,7 +89,8 @@ contents = g_key_file_to_data (kfsb->keyfile, , NULL); g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, - G_FILE_CREATE_REPLACE_DESTINATION, + G_FILE_CREATE_REPLACE_DESTINATION | + G_FILE_CREATE_PRIVATE, NULL, NULL, NULL); compute_checksum (kfsb->digest, contents, length); @@ -640,7 +641,7 @@ kfsb->file = g_file_new_for_path (filename); kfsb->dir = g_file_get_parent (kfsb->file); - g_file_make_directory_with_parents (kfsb->dir, NULL, NULL); + g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700); kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL); kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL); ``` The patch was not explicitly mentioned in the CVE, but I stumbled over it when fixing glib2.0 for wheezy ELTS last month. (Unfortunately, the g_mkdir_with_parents() symbol is not in jessie, for wheezy I skipped the safe directory creation part). Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpFJqBvFmc6X.pgp Description: Digitale PGP-Signatur
[SECURITY] [DLA 1826-1] glib2.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: glib2.0 Version: 2.42.1-1+deb8u1 CVE ID : CVE-2019-12450 Debian Bug : 929753 It was discovered that GLib does not properly restrict some file permissions while a copy operation is in progress; instead, default permissions are used. For Debian 8 "Jessie", this problem has been fixed in version 2.42.1-1+deb8u1. We recommend that you upgrade your glib2.0 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl0JRsYACgkQj/HLbo2J BZ9LeAgAqF07CippbX9GzuX119Jh/48Y0oO8rLX2FgmM34FOVtSVEGnDUUXdM4SH 6gD1PBr39CTR2JPzmn/cKWWe0jhBUHrEuFWQDaZ/xWki3lkzg7RDZs809C2toTFe l1+KN80MoXOgMcFhY3Ok/AFpgDTYFjr6EJ5xX3BpouEhF7ZwWMtlY2K4lGxTArhu Dt1RVh0U6JlFu1P+ILZMJIkcBC5IYuk07CyITf1y66OTYxtxE3EqQX3irQ9Ld8rv M3Ce6F1JLcfIxNsM1chzCOkN6UYFlDJH9Tp7wL8Z0BBUev+wiu2b6fpw85WD3QlR RTJYT2miOZIMpfZOEgxxNtgfSOn2KQ== =28uP -END PGP SIGNATURE-
