rpms/glib2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2019-12450 (#1719142)

Browse Source
This commit is contained in:
David King 2019-06-11 09:04:42 +01:00
parent d40813ab05
commit e81b0cb6f7
2 changed files with 59 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
CVE-2019-12450.patch Normal file
View File

@ -0,0 +1,53 @@
From d8f8f4d637ce43f8699ba94c9b7648beda0ca174 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Thu, 23 May 2019 10:41:53 +0200
Subject: [PATCH] gfile: Limit access to files when copying
file_copy_fallback creates new files with default permissions and
set the correct permissions after the operation is finished. This
might cause that the files can be accessible by more users during
the operation than expected. Use G_FILE_CREATE_PRIVATE for the new
files to limit access to those files.
---
gio/gfile.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/gio/gfile.c b/gio/gfile.c
index 24b136d80..74b58047c 100644
--- a/gio/gfile.c
+++ b/gio/gfile.c
@@ -3284,12 +3284,12 @@ file_copy_fallback (GFile *source,
out = (GOutputStream*)_g_local_file_output_stream_replace (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
FALSE, NULL,
flags & G_FILE_COPY_BACKUP,
- G_FILE_CREATE_REPLACE_DESTINATION,
- info,
+ G_FILE_CREATE_REPLACE_DESTINATION |
+ G_FILE_CREATE_PRIVATE, info,
cancellable, error);
else
out = (GOutputStream*)_g_local_file_output_stream_create (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
- FALSE, 0, info,
+ FALSE, G_FILE_CREATE_PRIVATE, info,
cancellable, error);
}
else if (flags & G_FILE_COPY_OVERWRITE)
@@ -3297,12 +3297,13 @@ file_copy_fallback (GFile *source,
out = (GOutputStream *)g_file_replace (destination,
NULL,
flags & G_FILE_COPY_BACKUP,
- G_FILE_CREATE_REPLACE_DESTINATION,
+ G_FILE_CREATE_REPLACE_DESTINATION |
+ G_FILE_CREATE_PRIVATE,
cancellable, error);
}
else
{
- out = (GOutputStream *)g_file_create (destination, 0, cancellable, error);
+ out = (GOutputStream *)g_file_create (destination, G_FILE_CREATE_PRIVATE, cancellable, error);
}
if (!out)
--
2.21.0

7
glib2.spec
View File

@ -2,12 +2,14 @@
Name: glib2 Name: glib2
Version: 2.61.1 Version: 2.61.1
Release: 1%{?dist} Release: 2%{?dist}
Summary: A library of handy utility functions Summary: A library of handy utility functions
License: LGPLv2+ License: LGPLv2+
URL: http://www.gtk.org URL: http://www.gtk.org
Source0: http://download.gnome.org/sources/glib/2.61/glib-%{version}.tar.xz Source0: http://download.gnome.org/sources/glib/2.61/glib-%{version}.tar.xz
# https://bugzilla.redhat.com/show_bug.cgi?id=1719142
Patch0: CVE-2019-12450.patch
BuildRequires: chrpath BuildRequires: chrpath
BuildRequires: gcc BuildRequires: gcc
@ -219,6 +221,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
%{_datadir}/installed-tests %{_datadir}/installed-tests
%changelog %changelog
* Tue Jun 11 2019 David King <amigadave@amigadave.com> - 2.61.1-2
- Fix CVE-2019-12450 (#1719142)
* Fri May 24 2019 Kalev Lember <klember@redhat.com> - 2.61.1-1 * Fri May 24 2019 Kalev Lember <klember@redhat.com> - 2.61.1-1
- Update to 2.61.1 - Update to 2.61.1