Source: glib2.0 Version: 2.58.3-2 Severity: important Tags: security upstream fixed-upstream Forwarded: https://gitlab.gnome.org/GNOME/glib/issues/1658
Hi, The following vulnerability was published for glib2.0. CVE-2019-13012[0]: | The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.59.1 | creates directories using g_file_make_directory_with_parents | (kfsb->dir, NULL, NULL) and files using g_file_replace_contents | (kfsb->file, contents, length, NULL, FALSE, | G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it | does not properly restrict directory (and file) permissions. Instead, | for directories, 0777 permissions are used; for files, default file | permissions are used. This is similar to CVE-2019-12450. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-13012 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13012 [1] https://gitlab.gnome.org/GNOME/glib/issues/1658 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
