Your message dated Sat, 07 Sep 2019 14:34:49 +0100
with message-id
<f49e2985d8466065c49c03185c24465a32228fb5.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes including in 10.1 point release
has caused the Debian Bug report #933535,
regarding buster-pu: package glib2.0/2.58.3-2+deb10u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
933535: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933535
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster d-i
User: [email protected]
Usertags: pu
GLib in buster is vulnerable to CVE-2019-13012 (configuration files
and directories created with more open permissions than intended),
which the security team have indicated is too minor for a DSA.
<https://bugs.debian.org/931234>
GLib has a udeb, so this technically needs a d-i ack, although I can't
imagine why d-i would either use GKeyfileSettingsBackend or care about
the resulting permissions.
I have deliberately not attempted to address
<https://bugs.debian.org/896019> in this upload: that will be a much
more intrusive change which should definitely go through unstable first,
and I don't want to delay a simple CVE fix for that.
Successfully tested on a buster GNOME virtual machine. I'll test on real
hardware before uploading.
smcv
diffstat for glib2.0-2.58.3 glib2.0-2.58.3
changelog | 11 +++++
gbp.conf | 2
patches/keyfile-settings-Use-tighter-permissions.patch | 36 +++++++++++++++++
patches/series | 1
4 files changed, 49 insertions(+), 1 deletion(-)
diff -Nru glib2.0-2.58.3/debian/changelog glib2.0-2.58.3/debian/changelog
--- glib2.0-2.58.3/debian/changelog 2019-06-03 22:37:45.000000000 +0100
+++ glib2.0-2.58.3/debian/changelog 2019-07-30 10:41:51.000000000 +0100
@@ -1,3 +1,14 @@
+glib2.0 (2.58.3-2+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * d/p/keyfile-settings-Use-tighter-permissions.patch:
+ Backport patch from upstream 2.60.0 so that the GKeyFile settings
+ backend creates ~/.config and configuration files with restrictive
+ permissions (Closes: #931234, CVE-2019-13012)
+ * d/gbp.conf: Swap branch to debian/buster
+
+ -- Simon McVittie <[email protected]> Tue, 30 Jul 2019 10:41:51 +0100
+
glib2.0 (2.58.3-2) unstable; urgency=medium
* Team upload
diff -Nru glib2.0-2.58.3/debian/gbp.conf glib2.0-2.58.3/debian/gbp.conf
--- glib2.0-2.58.3/debian/gbp.conf 2019-06-03 22:37:45.000000000 +0100
+++ glib2.0-2.58.3/debian/gbp.conf 2019-07-30 10:41:51.000000000 +0100
@@ -1,6 +1,6 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian/master
+debian-branch = debian/buster
upstream-branch = upstream/2.58.x
upstream-vcs-tag = %(version)s
diff -Nru
glib2.0-2.58.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch
glib2.0-2.58.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch
---
glib2.0-2.58.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch
1970-01-01 01:00:00.000000000 +0100
+++
glib2.0-2.58.3/debian/patches/keyfile-settings-Use-tighter-permissions.patch
2019-07-30 10:41:51.000000000 +0100
@@ -0,0 +1,36 @@
+From: Matthias Clasen <[email protected]>
+Date: Tue, 22 Jan 2019 13:26:31 -0500
+Subject: keyfile settings: Use tighter permissions
+
+When creating directories, create them with 700 permissions,
+instead of 777.
+
+Closes: #1658
+Origin: backport, 2.60.0, commit:5e4da714f00f6bfb2ccd6d73d61329c6f3a08429
+---
+ gio/gkeyfilesettingsbackend.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
+index a37978e..580a0b0 100644
+--- a/gio/gkeyfilesettingsbackend.c
++++ b/gio/gkeyfilesettingsbackend.c
+@@ -89,7 +89,8 @@ g_keyfile_settings_backend_keyfile_write
(GKeyfileSettingsBackend *kfsb)
+
+ contents = g_key_file_to_data (kfsb->keyfile, &length, NULL);
+ g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE,
+- G_FILE_CREATE_REPLACE_DESTINATION,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE,
+ NULL, NULL, NULL);
+
+ compute_checksum (kfsb->digest, contents, length);
+@@ -640,7 +641,7 @@ g_keyfile_settings_backend_new (const gchar *filename,
+
+ kfsb->file = g_file_new_for_path (filename);
+ kfsb->dir = g_file_get_parent (kfsb->file);
+- g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
++ g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700);
+
+ kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL);
+ kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL);
diff -Nru glib2.0-2.58.3/debian/patches/series
glib2.0-2.58.3/debian/patches/series
--- glib2.0-2.58.3/debian/patches/series 2019-06-03 22:37:45.000000000
+0100
+++ glib2.0-2.58.3/debian/patches/series 2019-07-30 10:41:51.000000000
+0100
@@ -2,6 +2,7 @@
mainloop-test-Fix-race-conditions.patch
closures-test-Avoid-timeout-on-ARM64-CPUs.patch
gfile-Limit-access-to-files-when-copying.patch
+keyfile-settings-Use-tighter-permissions.patch
01_gettext-desktopfiles.patch
81-skip-monitor-test-on-non-linux.patch
0001-timer-test-use-volatile-for-locals.patch
--- End Message ---
--- Begin Message ---
Version: 10.1
Hi,
The fixes referenced by each of these bugs were included in today's
buster point release.
Regards,
Adam
--- End Message ---
