import glib2-2.56.4-9.el8

SOURCES/CVE-2019-13012.patch

@@ -0,0 +1,38 @@
+From 32ed752130bcbccc008819a7f1ea27651c601ee2 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Tue, 22 Jan 2019 13:26:31 -0500
+Subject: [PATCH 9/9] keyfile settings: Use tighter permissions
+
+When creating directories, create them with 700 permissions,
+instead of 777.
+
+Closes: #1658
+---
+ gio/gkeyfilesettingsbackend.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
+index f5358818e..3d793f5a8 100644
+--- a/gio/gkeyfilesettingsbackend.c
++++ b/gio/gkeyfilesettingsbackend.c
+@@ -113,7 +113,8 @@ g_keyfile_settings_backend_keyfile_write (GKeyfileSettingsBackend *kfsb)
+ 
+   contents = g_key_file_to_data (kfsb->keyfile, &length, NULL);
+   g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE,
+-                           G_FILE_CREATE_REPLACE_DESTINATION,
++                           G_FILE_CREATE_REPLACE_DESTINATION |
++                           G_FILE_CREATE_PRIVATE,
+                            NULL, NULL, NULL);
+ 
+   compute_checksum (kfsb->digest, contents, length);
+@@ -708,7 +709,7 @@ g_keyfile_settings_backend_constructed (GObject *object)
+   kfsb->permission = g_simple_permission_new (TRUE);
+ 
+   kfsb->dir = g_file_get_parent (kfsb->file);
+-  g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
++  g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700);
+ 
+   kfsb->file_monitor = g_file_monitor (kfsb->file, G_FILE_MONITOR_NONE, NULL, NULL);
+   kfsb->dir_monitor = g_file_monitor (kfsb->dir, G_FILE_MONITOR_NONE, NULL, NULL);
+-- 
+2.28.0

SOURCES/ghmac-gnutls.patch

@@ -455,7 +455,7 @@ new file mode 100644
 index 000000000..3b4dfb872
 --- /dev/null
 +++ b/glib/ghmac-gnutls.c
-@@ -0,0 +1,151 @@
+@@ -0,0 +1,160 @@
 +/* ghmac.h - data hashing functions
 + *
 + * Copyright (C) 2011  Collabora Ltd.
@@ -539,7 +539,16 @@ index 000000000..3b4dfb872
 +GHmac *
 +g_hmac_copy (const GHmac *hmac)
 +{
-+  g_error ("g_hmac_copy is not available with GnuTLS-backend GHmac");
++  GHmac *copy;
++
++  g_return_val_if_fail (hmac != NULL, NULL);
++
++  copy = g_slice_new0 (GHmac);
++  copy->ref_count = 1;
++  copy->digest_type = hmac->digest_type;
++  copy->hmac = gnutls_hmac_copy (hmac->hmac);
++
++  return copy;
 +}
 +
 +GHmac *
@@ -661,34 +670,6 @@ index c7f28b5b6..a2f9da81c 100644
    c_args : ['-DG_LOG_DOMAIN="GLib"', '-DGLIB_COMPILATION'] + pcre_static_args + glib_hidden_visibility_args
  )
  
-diff --git a/glib/tests/hmac.c b/glib/tests/hmac.c
-index 3ac3206df..5212c2523 100644
---- a/glib/tests/hmac.c
-+++ b/glib/tests/hmac.c
-@@ -1,3 +1,5 @@
-+#include "config.h"
-+
- #include <glib.h>
- #include <string.h>
- #include <stdlib.h>
-@@ -427,6 +429,9 @@ test_hmac_ref_unref (void)
- static void
- test_hmac_copy (void)
- {
-+#ifdef HAVE_GNUTLS
-+  g_test_skip ("No g_hmac_copy with gnutls");
-+#else
-   GHmac *hmac, *check;
- 
-   hmac = g_hmac_new (G_CHECKSUM_SHA256, (guchar*)"aaa", 3);
-@@ -435,6 +440,7 @@ test_hmac_copy (void)
-   g_assert_cmpstr (g_hmac_get_string (hmac), ==, g_hmac_get_string (check));
-   g_hmac_unref (check);
-   g_hmac_unref (hmac);
-+#endif
- }
- 
- static void
 diff --git a/meson.build b/meson.build
 index 0cefee51d..81b16b004 100644
 --- a/meson.build
@@ -700,7 +681,7 @@ index 0cefee51d..81b16b004 100644
 +# gnutls is used optionally by ghmac
 +libgnutls_dep = []
 +if get_option('gnutls')
-+  libgnutls_dep = [dependency('gnutls', version : '>=3.6.7', required : true)]
++  libgnutls_dep = [dependency('gnutls', version : '>=3.6.9', required : true)]
 +  glib_conf.set('HAVE_GNUTLS', 1)
 +endif
 +

SPECS/glib2.spec

@@ -5,17 +5,14 @@
 
 Name: glib2
 Version: 2.56.4
-Release: 8%{?dist}
+Release: 9%{?dist}
 Summary: A library of handy utility functions
 
 License: LGPLv2+
 URL: http://www.gtk.org
 Source0: http://download.gnome.org/sources/glib/2.56/glib-%{version}.tar.xz
 
-# https://gitlab.gnome.org/GNOME/glib/merge_requests/903
+# For ghmac-gnutls.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1630260
-Patch37: ghmac-gnutls.patch
-# And the BR for this
 BuildRequires: pkgconfig(gnutls)
 
 BuildRequires: chrpath
@@ -56,6 +53,10 @@ Patch21: 0002-gvariant-test-Also-force-alignment-for-tuple-test-da.patch
 # Backported from 2.58 (for 3.32 GNOME rebase)
 Patch30: backport-per-desktop-overrides.patch
 
+# https://gitlab.gnome.org/GNOME/glib/merge_requests/903
+# https://bugzilla.redhat.com/show_bug.cgi?id=1630260
+Patch37: ghmac-gnutls.patch
+
 # Backported from git
 Patch40: 0001-gdbus-codegen-honor-Property.EmitsChangedSignal-anno.patch
 
@@ -64,6 +65,11 @@ Patch50: 0001-gcredentialsprivate-Document-the-various-private-mac.patch
 Patch51: 0001-GDBus-prefer-getsockopt-style-credentials-passing-AP.patch
 Patch52: 0001-credentials-Invalid-Linux-struct-ucred-means-no-info.patch
 
+# Mostly from https://gitlab.gnome.org/GNOME/glib/-/commits/master/gio/gkeyfilesettingsbackend.c
+Patch60: keyfile-backend.patch
+# https://gitlab.gnome.org/GNOME/glib/-/issues/1658
+Patch61: CVE-2019-13012.patch
+
 %description
 GLib is the low-level core library that forms the basis for projects
 such as GTK+ and GNOME. It provides data structure handling for C,
@@ -261,6 +267,14 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
 %{_datadir}/installed-tests
 
 %changelog
+* Tue Nov 10 2020 Michael Catanzaro <mcatanzaro@redhat.com> - 2.56.4-9
+- Update GHmac patch to implement g_hmac_copy()
+  Resolves: #1786538
+- Update keyfile settings backend
+  Resolves: #1728896
+- Fix CVE-2019-13012
+  Resolves: #1728632
+
 * Mon Dec 02 2019 Colin Walters <walters@verbum.org> - 2.56.4-8
 - Backport patches for GDBus auth
   Resolves: #1777213