Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Fri, 28 Jun 2019 17:45:05 GMT) (full text, mbox, link).
Source: glib2.0
Version: 2.58.3-2
Severity: important
Tags: security upstream fixed-upstream
Forwarded: https://gitlab.gnome.org/GNOME/glib/issues/1658
Hi,
The following vulnerability was published for glib2.0.
CVE-2019-13012[0]:
| The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.59.1
| creates directories using g_file_make_directory_with_parents
| (kfsb->dir, NULL, NULL) and files using g_file_replace_contents
| (kfsb->file, contents, length, NULL, FALSE,
| G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it
| does not properly restrict directory (and file) permissions. Instead,
| for directories, 0777 permissions are used; for files, default file
| permissions are used. This is similar to CVE-2019-12450.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-13012https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13012
[1] https://gitlab.gnome.org/GNOME/glib/issues/1658
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as fixed in versions glib2.0/2.60.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 28 Jun 2019 17:51:02 GMT) (full text, mbox, link).
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Sat, 27 Jul 2019 10:42:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 27 Jul 2019 10:42:10 GMT) (full text, mbox, link).
Version: 2.60.0-1
On Fri, 28 Jun 2019 at 19:41:46 +0200, Salvatore Bonaccorso wrote:
> Please adjust the affected versions in the BTS as needed.
This was already fixed in unstable. I'm fixing the FTBFS now so that the
fixed version can migrate to testing.
Mitigations:
* The keyfile settings backend was added in 2.25.x, but would not
be automatically used via the GSettings extension point until 2.59.1,
so it would only be used by apps that explicitly use it. There are a few
such apps but they are a minority:
https://codesearch.debian.net/search?q=g_keyfile_settings_backend_new&perpkg=1
Tracker is probably the most interesting/dangerous/widely installed.
* If some other software, such as dconf, has already created the
freedesktop.org per-user configuration directory ($XDG_CONFIG_HOME or
~/.config), then it will usually have the 0700 permissions required
by the freedesktop.org Base Directory spec, preventing other users
from accessing the settings.
* I think the umask is respected, so the vulnerability report says 0777
but in practice the permissions will usually be 0755 or 0750.
Security team: for stable, bearing those mitigations in mind, do you
want to do a DSA or is this point-release material?
> The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.59.1
> [has this vulnerability]
FYI, this is misleading: 2.59.1, 2.59.2 and 2.59.3 appear to have been
vulnerable too, and 2.60.0 was the first fixed upstream version (but
nobody should use 2.59.x without planning to upgrade to 2.60.0 anyway,
because GNOME has an odd/even unstable/stable branching model).
smcv
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Sat, 27 Jul 2019 12:15:03 GMT) (full text, mbox, link).
Hi Simon,
On Sat, Jul 27, 2019 at 11:37:48AM +0100, Simon McVittie wrote:
> Version: 2.60.0-1
>
> On Fri, 28 Jun 2019 at 19:41:46 +0200, Salvatore Bonaccorso wrote:
> > Please adjust the affected versions in the BTS as needed.
>
> This was already fixed in unstable. I'm fixing the FTBFS now so that the
> fixed version can migrate to testing.
Jupp, it was as well already marked as such in the BTS, but for the
security-tracker itself we track as well the first entering in
unstable. I just have updated the information there, thank you for the
heads up.
> Mitigations:
>
> * The keyfile settings backend was added in 2.25.x, but would not
> be automatically used via the GSettings extension point until 2.59.1,
> so it would only be used by apps that explicitly use it. There are a few
> such apps but they are a minority:
> https://codesearch.debian.net/search?q=g_keyfile_settings_backend_new&perpkg=1
> Tracker is probably the most interesting/dangerous/widely installed.
>
> * If some other software, such as dconf, has already created the
> freedesktop.org per-user configuration directory ($XDG_CONFIG_HOME or
> ~/.config), then it will usually have the 0700 permissions required
> by the freedesktop.org Base Directory spec, preventing other users
> from accessing the settings.
>
> * I think the umask is respected, so the vulnerability report says 0777
> but in practice the permissions will usually be 0755 or 0750.
>
> Security team: for stable, bearing those mitigations in mind, do you
> want to do a DSA or is this point-release material?
I think this can safely go via a point release then. Are you planning
to do both the buster and stretch one? If as well the later, there
seem some other CVEs which previously were marked no-dsa for stretch.
If you think any of those might be sensible to include as well then
please feel free to include those as well.
> > The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.59.1
> > [has this vulnerability]
>
> FYI, this is misleading: 2.59.1, 2.59.2 and 2.59.3 appear to have been
> vulnerable too, and 2.60.0 was the first fixed upstream version (but
> nobody should use 2.59.x without planning to upgrade to 2.60.0 anyway,
> because GNOME has an odd/even unstable/stable branching model).
Yes right the above was just what comes directly from the MITRE
description and should always be taken only as reference but not as
absolute (sometimes the description only matches a specific
understanding fixed point in time, and needs revisiting later etc
...).
I filled via the cveform a request to please update the description.
Regards,
Salvatore
Acknowledgement sent
to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Tue, 30 Jul 2019 10:24:03 GMT) (full text, mbox, link).
On Sat, 27 Jul 2019 at 14:13:34 +0200, Salvatore Bonaccorso wrote:
> On Sat, Jul 27, 2019 at 11:37:48AM +0100, Simon McVittie wrote:
> > Security team: for stable, bearing those mitigations in mind, do you
> > want to do a DSA or is this point-release material?
>
> I think this can safely go via a point release then. Are you planning
> to do both the buster and stretch one? If as well the later, there
> seem some other CVEs which previously were marked no-dsa for stretch.
> If you think any of those might be sensible to include as well then
> please feel free to include those as well.
I don't have any local stretch machines any more except for test VMs,
so I can't do a whole lot of testing for stretch point releases. As a
result I'm only preparing a buster version at the moment.
If I do a stretch version later, then I'll look at whether the other
no-dsa CVEs are unintrusive enough to fix.
Simple reproducer for this one attached (requires python3-gi and
gsettings-desktop-schemas).
smcv
Subject: Bug#931234: fixed in glib2.0 2.58.3-2+deb10u1
Date: Wed, 21 Aug 2019 17:47:08 +0000
Source: glib2.0
Source-Version: 2.58.3-2+deb10u1
We believe that the bug you reported is fixed in the latest version of
glib2.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 931234@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated glib2.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 30 Jul 2019 10:41:51 +0100
Source: glib2.0
Architecture: source
Version: 2.58.3-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 931234
Changes:
glib2.0 (2.58.3-2+deb10u1) buster; urgency=medium
.
* Team upload
* d/p/keyfile-settings-Use-tighter-permissions.patch:
Backport patch from upstream 2.60.0 so that the GKeyFile settings
backend creates ~/.config and configuration files with restrictive
permissions (Closes: #931234, CVE-2019-13012)
* d/gbp.conf: Swap branch to debian/buster
Checksums-Sha1:
c3e61629e400062b8bdc9c54f8538f75f0af5fc2 3422 glib2.0_2.58.3-2+deb10u1.dsc
9b7d6d2477ee18e12b3723094855b2e5edf4f127 86012 glib2.0_2.58.3-2+deb10u1.debian.tar.xz
0daf89914eabb3745219b39a6dd407ceaa6b2db2 8130 glib2.0_2.58.3-2+deb10u1_source.buildinfo
Checksums-Sha256:
a1bcfcce21ce7cd6b4bae65c2fee5291a72a38ceab8b9bfe0d120f92755725e2 3422 glib2.0_2.58.3-2+deb10u1.dsc
bc2a0a7f00953e573d38a7d5aec92acf3e7822726f53b8c301e88a07dfc0cffa 86012 glib2.0_2.58.3-2+deb10u1.debian.tar.xz
0635ea59c357b244890986f091527e1f26584e18aa90b9c95b08eba1d1eea34d 8130 glib2.0_2.58.3-2+deb10u1_source.buildinfo
Files:
6e18615dba51886df563e39b001d747e 3422 libs optional glib2.0_2.58.3-2+deb10u1.dsc
9782e76614cee5b9a9a726f5cc0c4f7e 86012 libs optional glib2.0_2.58.3-2+deb10u1.debian.tar.xz
9b36254f093ba3e8d072dc83ce77acfa 8130 libs optional glib2.0_2.58.3-2+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl1H2JUQHHNtY3ZAZGVi
aWFuLm9yZwAKCRDgWuFHj4FMT/yPD/oCKpbeF8hgHkDxFJnCOA8e+VggEZUxiJW6
xpHsJynEY3IYoOWAonlvtJ4hJZgLlXxnT6JT8zIb8Q2FKDFrgjK9Qcw5aSQ8NBu5
gtHyDI6RBG++Mu3UfU+A86UFAloIrw6ZQEY2UTMKY3fZcs4cbN1nM3k9ijeIZhIA
IyzwAdnXhpYhc4chzzSh8OIZ1gMl1iPuaICJH2dn8bYz9UwXBN69wabstdF7pz+K
AiS/ENqPSHDve9gWZZJfEvW2a8uwkaUvCkzKvU+en+l9PdSSMEqg9cV20/Zc+XlZ
Nm1ihPRy5dtCVkj1OIyZ+NFK8X3w68KIfPS9aT6ucEYUxjXKzRT1U2oFv5Sw7qcK
eyPZa0O3j06zFrLiCrD2/grDVTHGHSuwxiXkwqQuJaFzxgelTl+B444b10nvKiRl
Zy+eMHi079Wd6kz6MdVCV0MALzjuoLR4LMDUox7qJfvyQtZ4IOXsPKDAZGwEgcl9
7SKbwyRonxuLM8Cr8gZ1mDEi8ca3qIciUz1uInzi0SUSJVtLFUMv3wxWfzMLbLgU
JmtD05cyCdvjDOwmSydhN7PWr8C3vBFKLxLq0zUKxePmHDlMGjZetV17mx+N73vA
suGc2X8BygfgiE53HnE13Lt7CUCcTVUigm9qFM8DhqqLKpEo+kRFwy8O9q02R+qf
v//k2paqPg==
=vk7g
-----END PGP SIGNATURE-----
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Wed, 21 Aug 2019 17:51:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 21 Aug 2019 17:51:10 GMT) (full text, mbox, link).
Subject: Bug#931234: fixed in glib2.0 2.50.3-2+deb9u1
Date: Wed, 21 Aug 2019 17:47:41 +0000
Source: glib2.0
Source-Version: 2.50.3-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
glib2.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 931234@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated glib2.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 13 Aug 2019 10:46:20 +0100
Source: glib2.0
Binary: libglib2.0-0 libglib2.0-tests libglib2.0-udeb libglib2.0-bin libglib2.0-dev libglib2.0-0-dbg libglib2.0-data libglib2.0-doc libgio-fam
Architecture: source
Version: 2.50.3-2+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
libgio-fam - GLib Input, Output and Streaming Library (fam module)
libglib2.0-0 - GLib library of C routines
libglib2.0-0-dbg - Debugging symbols for the GLib libraries
libglib2.0-bin - Programs for the GLib library
libglib2.0-data - Common files for GLib library
libglib2.0-dev - Development files for the GLib library
libglib2.0-doc - Documentation files for the GLib library
libglib2.0-tests - GLib library of C routines - installed tests
libglib2.0-udeb - GLib library of C routines - minimal runtime (udeb)
Closes: 929753931234
Changes:
glib2.0 (2.50.3-2+deb9u1) stretch; urgency=medium
.
* Team upload
* d/gbp.conf: Add GNOME team configuration
* d/p/gfile-Limit-access-to-files-when-copying.patch:
When copying files, give the temporary partial copy of the file
suitably restrictive permissions (Closes: #929753; CVE-2019-12450)
* d/p/keyfile-settings-Use-tighter-permissions.patch:
Create directory and file with restrictive permissions when using the
GKeyfileSettingsBackend. Mitigation: in this version of GLib, the
GKeyfileSettingsBackend can only be used explicitly by code, and is
never selected automatically. (Closes: #931234; CVE-2019-13012)
* d/p/gmarkup-Fix-unvalidated-UTF-8-read-in-markup-parsing-erro.patch,
d/p/gmarkup-Avoid-reading-off-the-end-of-a-buffer-when-non-nu.patch:
Avoid buffer read overrun when formatting error messages for invalid
UTF-8 in GMarkup (CVE-2018-16429)
* d/p/gmarkup-Fix-crash-in-error-handling-path-for-closing-elem.patch:
Avoid NULL dereference when parsing invalid GMarkup with a malformed
closing tag not paired with an opening tag (CVE-2018-16429)
Checksums-Sha1:
3e5b3232675ca069efc46ae9b77fb5b400018d0c 3451 glib2.0_2.50.3-2+deb9u1.dsc
38921822069c760ce1c33c3149bccba85b4dd617 74472 glib2.0_2.50.3-2+deb9u1.debian.tar.xz
bf82692a5f402b317d78c4caf09e7f1e75f4b225 8351 glib2.0_2.50.3-2+deb9u1_source.buildinfo
Checksums-Sha256:
1ec772f446253b189271f35106e39aa84a74a57796c9b1d09f3fe4b6f608c1bb 3451 glib2.0_2.50.3-2+deb9u1.dsc
305398721ed8c790b677e44850228fd04efd1b9da7181bb0eedd9822ad7ff5d7 74472 glib2.0_2.50.3-2+deb9u1.debian.tar.xz
839929c489ef87be82d541629a5db6ea1dac906b730ff8da2ffcb2c8247c05fe 8351 glib2.0_2.50.3-2+deb9u1_source.buildinfo
Files:
14c3dfb0b47583e8cd5eec5dd9deea7e 3451 libs optional glib2.0_2.50.3-2+deb9u1.dsc
de5bf0d8a60c964623e45a307f51f7be 74472 libs optional glib2.0_2.50.3-2+deb9u1.debian.tar.xz
370e1f749acbbb8173e9a4621532bd6c 8351 libs optional glib2.0_2.50.3-2+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl1WW6oQHHNtY3ZAZGVi
aWFuLm9yZwAKCRDgWuFHj4FMT9nQD/4vxpymXdXam6vYEMJcJft7vXCgxI4aXsmJ
pj/HjvR1S8dNnQ/WzwO7tz2CKQOUifnE55VpL1qjO/iovD08g3B1k9smk/7qO07w
Mg5uDTfRnCtXJ+ImpxKO5I8RTDvbx8bn+Iv9n1Xgn1vfslmUQsmuHfS3/XpBtuUq
m0TicpsUVngd5EC3ENaH28Xi0zbsiFuxf09lK1VPoKh11PaqoR7X20CO9dV6bdxc
i+AaZrfGmX8/kkR50vB+U+IZwpu+yKcL+Vfq//Cma0s2swUQPircT4LnaDrsQMIc
/L0GP9gDPSWwaEeb6kePX1si7i4swaYAMDkRsvbiVMRV0gEAeucFO603C+f+K2+y
nKbZpK81yu1hwfHu2L+LyaELQpYDc6/mM+4szNzvkqggxTbzyYQhaiCBc4z72RxF
nsJy6BZptD47cblkMU7RGnT2hHfYuTYOSoBJegZBBkdTYY6Dd4l6YT485+dtSzd/
Ayybp6Ws7Dglc7bjca9K9656RWt4PXiVUuokIkUolNQr/f99b3e8jjjOL1cdK6d/
JL9MFGdlNwrWbZFbiSNWYletB/W6US155PghaEqMS8/DPwyN8YH2HPjRgCN5OkI4
fSpChiPwsY7eWRRqSEVVw2zEtk81nR9llDW/l0odmA1RRKiFvfh+LtBxRblGAR7H
Al5jui5W2g==
=K3YH
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 19 Sep 2019 07:30:47 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.