Hi Simon, Am Sonntag, 4. August 2019 schrieb Simon McVittie: > Source: glib2.0 > Version: 2.42.1-1+deb8u2 > Severity: normal > Tags: jessie > > (This is only from source code inspection, not tested in real use - > I don't use jessie any more.) > > While looking into a possible stretch update for CVE-2018-16429, > CVE-2019-12450, CVE-2018-16428 and CVE-2019-13012, I compared my backports > of the fixes for those vulnerabilities with the ones in jessie-lts to try > to double-check that I had done them right. > > The upstream fix for CVE-2019-13012 included this change: > > - g_file_make_directory_with_parents (kfsb->dir, NULL, NULL); > + g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700); > > However, g_file_peek_path() was only introduced in GLib 2.56, so that > won't work for stretch or jessie. The backport in the jessie-lts package > has this instead: > > - g_file_make_directory_with_parents (kfsb->dir, NULL, NULL); > + g_mkdir_with_parents (g_file_get_path (kfsb->dir), 0700); > > This is not equivalent. The difference between g_file_peek_path() and the > older g_file_get_path() is that g_file_get_path() makes a copy, which must > be freed with g_free() after use. As a result, there is now a memory leak. > > A non-leaky backport would look something like this, which is what I've > done in a proposed backport for Debian 9 'stretch' at > <https://salsa.debian.org/gnome-team/glib/merge_requests/7>: > > + char *dir; > ... > - g_file_make_directory_with_parents (kfsb->dir, NULL, NULL); > + dir = g_file_get_path (kfsb->dir); > + g_mkdir_with_parents (dir, 0700); > + g_free (dir); > > The Ubuntu xenial update appears to have the same bug: > https://bugs.launchpad.net/ubuntu/+source/glib2.0/+bug/1838890 > > Regards, > smcv >
Thanks for letting us (LTS team) know. Will provide a fix tonight for LTS/ELTS. Mike -- Gesendet von meinem Fairphone2 (powered by Sailfish OS).

