import glib2-2.56.4-7.el8

SOURCES/0001-gfile-Limit-access-to-files-when-copying.patch

@@ -0,0 +1,53 @@
+From d8f8f4d637ce43f8699ba94c9b7648beda0ca174 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 23 May 2019 10:41:53 +0200
+Subject: [PATCH] gfile: Limit access to files when copying
+
+file_copy_fallback creates new files with default permissions and
+set the correct permissions after the operation is finished. This
+might cause that the files can be accessible by more users during
+the operation than expected. Use G_FILE_CREATE_PRIVATE for the new
+files to limit access to those files.
+---
+ gio/gfile.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/gio/gfile.c b/gio/gfile.c
+index 24b136d80..74b58047c 100644
+--- a/gio/gfile.c
++++ b/gio/gfile.c
+@@ -3284,12 +3284,12 @@ file_copy_fallback (GFile                  *source,
+         out = (GOutputStream*)_g_local_file_output_stream_replace (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
+                                                                    FALSE, NULL,
+                                                                    flags & G_FILE_COPY_BACKUP,
+-                                                                   G_FILE_CREATE_REPLACE_DESTINATION,
+-                                                                   info,
++                                                                   G_FILE_CREATE_REPLACE_DESTINATION |
++                                                                   G_FILE_CREATE_PRIVATE, info,
+                                                                    cancellable, error);
+       else
+         out = (GOutputStream*)_g_local_file_output_stream_create (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
+-                                                                  FALSE, 0, info,
++                                                                  FALSE, G_FILE_CREATE_PRIVATE, info,
+                                                                   cancellable, error);
+     }
+   else if (flags & G_FILE_COPY_OVERWRITE)
+@@ -3297,12 +3297,13 @@ file_copy_fallback (GFile                  *source,
+       out = (GOutputStream *)g_file_replace (destination,
+                                              NULL,
+                                              flags & G_FILE_COPY_BACKUP,
+-                                             G_FILE_CREATE_REPLACE_DESTINATION,
++                                             G_FILE_CREATE_REPLACE_DESTINATION |
++                                             G_FILE_CREATE_PRIVATE,
+                                              cancellable, error);
+     }
+   else
+     {
+-      out = (GOutputStream *)g_file_create (destination, 0, cancellable, error);
++      out = (GOutputStream *)g_file_create (destination, G_FILE_CREATE_PRIVATE, cancellable, error);
+     }
+ 
+   if (!out)
+-- 
+2.21.0
+

SPECS/glib2.spec

@@ -5,7 +5,7 @@
 
 Name: glib2
 Version: 2.56.4
-Release: 5%{?dist}
+Release: 7%{?dist}
 Summary: A library of handy utility functions
 
 License: LGPLv2+
@@ -47,6 +47,7 @@ Patch01: 0001-gdbus-unix-addresses-test-don-t-g_debug-when-also-te.patch
 Patch10: 0001-codegen-Change-pointer-casting-to-remove-type-punnin.patch
 Patch11: 0001-spawn-add-shebang-line-to-script.patch
 Patch12: 0001-build-sys-Pass-CFLAGS-to-DTRACE.patch
+Patch13: 0001-gfile-Limit-access-to-files-when-copying.patch
 
 # Backported from git glib-2-56 branch
 Patch20: 0001-tests-Allocate-gvariant-data-from-the-heap-to-guaran.patch
@@ -255,6 +256,10 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
 %{_datadir}/installed-tests
 
 %changelog
+* Sat Jul 13 2019 Colin Walters <walters@redhat.com> - 2.56.4-7
+- Backport patch for CVE-2019-12450
+  Resolves: #1722101
+
 * Mon Jun 17 2019 Ray Strode <rstrode@redhat.com> - 2.56.4-5
 - Backport glib2 change needed for accountsservice dbus
   codegen fix