CVE-2019-13012 in Ubuntu

CVE-2019-13012

Priority

Description

The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0
creates directories using g_file_make_directory_with_parents (kfsb->dir,
NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents,
length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL).
Consequently, it does not properly restrict directory (and file)
permissions. Instead, for directories, 0777 permissions are used; for
files, default file permissions are used. This is similar to
CVE-2019-12450.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13012
https://gitlab.gnome.org/GNOME/glib/merge_requests/450
https://ubuntu.com/security/notices/USN-4049-1
https://ubuntu.com/security/notices/USN-4049-2
https://ubuntu.com/security/notices/USN-4049-3
https://ubuntu.com/security/notices/USN-4049-4

Bugs

https://gitlab.gnome.org/GNOME/glib/issues/1658
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931234

Assigned-to

leosilva

Notes

Package

Source: glib2.0 (LP Ubuntu Debian)

Upstream:	released (2.59.1)
Ubuntu 18.04 LTS:	released (2.56.4-0ubuntu0.18.04.4)
Ubuntu 16.04 ESM:	released (2.48.2-0ubuntu4.4)
Ubuntu 14.04 ESM:	released (2.40.2-0ubuntu1.1+esm3)

Patches:

Upstream:	https://gitlab.gnome.org/GNOME/glib/commit/5e4da714f00f6bfb2ccd6d73d61329c6f3a08429
Upstream:	https://gitlab.gnome.org/GNOME/glib/commit/54317c9118bfffa4e9390945f88e63addc1cb69c

More Information

Updated: 2022-04-13 13:39:31 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)