Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Tags: d-i
X-Debbugs-Cc: debian-b...@lists.debian.org
Please unblock package glib2.0 to fix CVE-2019-12450.
glib2.0 builds a udeb (for the graphical installer) so this will need
a d-i ack.
unblock glib2.0/2.58.3-2
unblock-udeb glib2.0/2.58.3-2
Thanks,
smcv
diffstat for glib2.0-2.58.3 glib2.0-2.58.3
changelog | 14 ++++
patches/gfile-Limit-access-to-files-when-copying.patch | 54 +++++++++++++++++
patches/series | 1
watch | 2
4 files changed, 69 insertions(+), 2 deletions(-)
diff -Nru glib2.0-2.58.3/debian/changelog glib2.0-2.58.3/debian/changelog
--- glib2.0-2.58.3/debian/changelog 2019-02-07 08:28:56.000000000 +0000
+++ glib2.0-2.58.3/debian/changelog 2019-06-03 22:37:45.000000000 +0100
@@ -1,3 +1,15 @@
+glib2.0 (2.58.3-2) unstable; urgency=medium
+
+ * Team upload
+ * d/p/gfile-Limit-access-to-files-when-copying.patch:
+ Backport patch from upstream to ensure files don't temporarily have
+ less restrictive permissions during copying
+ (Closes: #929753, CVE-2019-12450)
+ * d/watch: Only watch for 2.58.x releases now that 2.60.x is out
+ * Add cross-reference to #919777 in previous changelog entry
+
+ -- Simon McVittie <s...@debian.org> Mon, 03 Jun 2019 22:37:45 +0100
+
glib2.0 (2.58.3-1) unstable; urgency=medium
* Team upload
@@ -7,7 +19,7 @@
[ Simon McVittie ]
* New upstream release
- - Fix crashes related to the GUnixMount API
+ - Fix crashes related to the GUnixMount API (Closes: #919777)
- Make G_DEFINE_INTERFACE compatible with g++ -Wint-in-bool-context
- Drop patches that were applied upstream
* d/p/gdbusmessage-Fix-check-on-upper-limit-of-message-size.patch:
diff -Nru glib2.0-2.58.3/debian/patches/gfile-Limit-access-to-files-when-copying.patch glib2.0-2.58.3/debian/patches/gfile-Limit-access-to-files-when-copying.patch
--- glib2.0-2.58.3/debian/patches/gfile-Limit-access-to-files-when-copying.patch 1970-01-01 01:00:00.000000000 +0100
+++ glib2.0-2.58.3/debian/patches/gfile-Limit-access-to-files-when-copying.patch 2019-06-03 22:37:45.000000000 +0100
@@ -0,0 +1,54 @@
+From: Ondrej Holy <oh...@redhat.com>
+Date: Thu, 23 May 2019 10:41:53 +0200
+Subject: gfile: Limit access to files when copying
+
+file_copy_fallback creates new files with default permissions and
+set the correct permissions after the operation is finished. This
+might cause that the files can be accessible by more users during
+the operation than expected. Use G_FILE_CREATE_PRIVATE for the new
+files to limit access to those files.
+
+Bug: https://gitlab.gnome.org/GNOME/glib/merge_requests/876
+Bug-CVE: CVE-2019-12450
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929753
+Origin: upstream, 2.61.1, commit:d8f8f4d637ce43f8699ba94c9b7648beda0ca174
+---
+ gio/gfile.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/gio/gfile.c b/gio/gfile.c
+index a5709a4..e017ee1 100644
+--- a/gio/gfile.c
++++ b/gio/gfile.c
+@@ -3284,12 +3284,12 @@ file_copy_fallback (GFile *source,
+ out = (GOutputStream*)_g_local_file_output_stream_replace (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
+ FALSE, NULL,
+ flags & G_FILE_COPY_BACKUP,
+- G_FILE_CREATE_REPLACE_DESTINATION,
+- info,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE, info,
+ cancellable, error);
+ else
+ out = (GOutputStream*)_g_local_file_output_stream_create (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
+- FALSE, 0, info,
++ FALSE, G_FILE_CREATE_PRIVATE, info,
+ cancellable, error);
+ }
+ else if (flags & G_FILE_COPY_OVERWRITE)
+@@ -3297,12 +3297,13 @@ file_copy_fallback (GFile *source,
+ out = (GOutputStream *)g_file_replace (destination,
+ NULL,
+ flags & G_FILE_COPY_BACKUP,
+- G_FILE_CREATE_REPLACE_DESTINATION,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE,
+ cancellable, error);
+ }
+ else
+ {
+- out = (GOutputStream *)g_file_create (destination, 0, cancellable, error);
++ out = (GOutputStream *)g_file_create (destination, G_FILE_CREATE_PRIVATE, cancellable, error);
+ }
+
+ if (!out)
diff -Nru glib2.0-2.58.3/debian/patches/series glib2.0-2.58.3/debian/patches/series
--- glib2.0-2.58.3/debian/patches/series 2019-02-07 08:28:56.000000000 +0000
+++ glib2.0-2.58.3/debian/patches/series 2019-06-03 22:37:45.000000000 +0100
@@ -1,6 +1,7 @@
gdbusmessage-Fix-check-on-upper-limit-of-message-size.patch
mainloop-test-Fix-race-conditions.patch
closures-test-Avoid-timeout-on-ARM64-CPUs.patch
+gfile-Limit-access-to-files-when-copying.patch
01_gettext-desktopfiles.patch
81-skip-monitor-test-on-non-linux.patch
0001-timer-test-use-volatile-for-locals.patch
diff -Nru glib2.0-2.58.3/debian/watch glib2.0-2.58.3/debian/watch
--- glib2.0-2.58.3/debian/watch 2019-02-07 08:28:56.000000000 +0000
+++ glib2.0-2.58.3/debian/watch 2019-06-03 22:37:45.000000000 +0100
@@ -1,3 +1,3 @@
version=4
-https://download.gnome.org/sources/glib/([\d\.]+[02468])/ \
+https://download.gnome.org/sources/glib/(2\.58)/ \
glib@ANY_VERSION@\.tar\.xz
