Bug#934741: stretch-pu: package glib2.0/2.50.3-2+deb9u1

[Cyril Brulebois]

Hi,

Adam D. Barratt  (2019-08-20):
> Looks OK from an SRM perspective; thanks. Tagging so it shows up in the
> right place in the BTS.

Testing looks good, no objections.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#934741: stretch-pu: package glib2.0/2.50.3-2+deb9u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On 2019-08-14 09:17, Simon McVittie wrote:

glib2.0 in stretch has some minor security vulnerabilities for which
the security team have declined to issue DSAs: the most recent is also
pending review as a buster update (#933535) and the others were already
fixed before the buster release. I've prepared a backport of the fixes,
which is very similar to the delta between jessie and jessie-lts.

I have done some basic testing of this proposed update in a GNOME 
virtual

machine, but I no longer have physical access to any stretch desktops
that are in real use (the only stretch machines I'm responsible for
will be upgraded to buster when I next get physical access to them)
so additional testing by stretch users would be welcome, particularly
by users of GTK-based desktops like GNOME and XFCE. Test binaries are
available here: https://people.debian.org/~smcv/201908/

As with #933535, glib2.0 builds udebs for the graphical installer, so 
this

will need a d-i ack.


Looks OK from an SRM perspective; thanks. Tagging so it shows up in the 
right place in the BTS.


Regards,

Adam

Processed: Re: Bug#934741: stretch-pu: package glib2.0/2.50.3-2+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #934741 [release.debian.org] stretch-pu: package glib2.0/2.50.3-2+deb9u1
Added tag(s) confirmed.

-- 
934741: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934741
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#934741: stretch-pu: package glib2.0/2.50.3-2+deb9u1

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: stretch d-i
User: release.debian@packages.debian.org
Usertags: pu

glib2.0 in stretch has some minor security vulnerabilities for which
the security team have declined to issue DSAs: the most recent is also
pending review as a buster update (#933535) and the others were already
fixed before the buster release. I've prepared a backport of the fixes,
which is very similar to the delta between jessie and jessie-lts.

I have done some basic testing of this proposed update in a GNOME virtual
machine, but I no longer have physical access to any stretch desktops
that are in real use (the only stretch machines I'm responsible for
will be upgraded to buster when I next get physical access to them)
so additional testing by stretch users would be welcome, particularly
by users of GTK-based desktops like GNOME and XFCE. Test binaries are
available here: https://people.debian.org/~smcv/201908/

As with #933535, glib2.0 builds udebs for the graphical installer, so this
will need a d-i ack.

Thanks,
smcv
diffstat for glib2.0-2.50.3 glib2.0-2.50.3

 changelog   |   22 
+
 gbp.conf|   17 
+
 patches/gfile-Limit-access-to-files-when-copying.patch  |   54 

 patches/gmarkup-Avoid-reading-off-the-end-of-a-buffer-when-non-nu.patch |  115 
++
 patches/gmarkup-Fix-crash-in-error-handling-path-for-closing-elem.patch |   78 
++
 patches/gmarkup-Fix-unvalidated-UTF-8-read-in-markup-parsing-erro.patch |   86 
+++
 patches/keyfile-settings-Use-tighter-permissions.patch  |   48 

 patches/series  |5 
 8 files changed, 425 insertions(+)

diff -Nru glib2.0-2.50.3/debian/changelog glib2.0-2.50.3/debian/changelog
--- glib2.0-2.50.3/debian/changelog 2017-03-19 23:21:57.0 +
+++ glib2.0-2.50.3/debian/changelog 2019-08-13 10:46:20.0 +0100
@@ -1,3 +1,25 @@
+glib2.0 (2.50.3-2+deb9u1) stretch; urgency=medium
+
+  * Team upload
+  * d/gbp.conf: Add GNOME team configuration
+  * d/p/gfile-Limit-access-to-files-when-copying.patch:
+When copying files, give the temporary partial copy of the file
+suitably restrictive permissions (Closes: #929753; CVE-2019-12450)
+  * d/p/keyfile-settings-Use-tighter-permissions.patch:
+Create directory and file with restrictive permissions when using the
+GKeyfileSettingsBackend. Mitigation: in this version of GLib, the
+GKeyfileSettingsBackend can only be used explicitly by code, and is
+never selected automatically. (Closes: #931234; CVE-2019-13012)
+  * d/p/gmarkup-Fix-unvalidated-UTF-8-read-in-markup-parsing-erro.patch,
+d/p/gmarkup-Avoid-reading-off-the-end-of-a-buffer-when-non-nu.patch:
+Avoid buffer read overrun when formatting error messages for invalid
+UTF-8 in GMarkup (CVE-2018-16429)
+  * d/p/gmarkup-Fix-crash-in-error-handling-path-for-closing-elem.patch:
+Avoid NULL dereference when parsing invalid GMarkup with a malformed
+closing tag not paired with an opening tag (CVE-2018-16429)
+
+ -- Simon McVittie   Tue, 13 Aug 2019 10:46:20 +0100
+
 glib2.0 (2.50.3-2) unstable; urgency=medium
 
   * debian/patches/tests-gdatetime-Use-a-real-rather-than-invented-time.patch:
diff -Nru glib2.0-2.50.3/debian/gbp.conf glib2.0-2.50.3/debian/gbp.conf
--- glib2.0-2.50.3/debian/gbp.conf  1970-01-01 01:00:00.0 +0100
+++ glib2.0-2.50.3/debian/gbp.conf  2019-08-13 10:46:20.0 +0100
@@ -0,0 +1,17 @@
+[DEFAULT]
+pristine-tar = True
+debian-branch = debian/stretch
+upstream-branch = upstream/2.50.x
+upstream-vcs-tag = %(version)s
+
+[buildpackage]
+sign-tags = True
+
+[dch]
+multimaint-merge = True
+
+[import-orig]
+postimport = dch -v%(version)s New upstream release; git add debian/changelog; 
debcommit
+
+[pq]
+patch-numbers = False
diff -Nru 
glib2.0-2.50.3/debian/patches/gfile-Limit-access-to-files-when-copying.patch 
glib2.0-2.50.3/debian/patches/gfile-Limit-access-to-files-when-copying.patch
--- 
glib2.0-2.50.3/debian/patches/gfile-Limit-access-to-files-when-copying.patch
1970-01-01 01:00:00.0 +0100
+++ 
glib2.0-2.50.3/debian/patches/gfile-Limit-access-to-files-when-copying.patch
2019-08-13 10:46:20.0 +0100
@@ -0,0 +1,54 @@
+From: Ondrej Holy 
+Date: Thu, 23 May 2019 10:41:53 +0200
+Subject: gfile: Limit access to files when copying
+
+file_copy_fallback creates new files with default permissions and
+set the correct permissions after the operation is finished. This
+might cause that the files can be accessible by more users during
+the operation than expected. Use G_FILE_CREATE_PRIVATE for the new
+files to limit access to those files.
+
+Bug: https://gitlab.gnome.org/GNOME/glib/merge_requests/876
+Bug-CVE: CVE-2019-12450
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929753
+Origin: