Commit 6d61c009 authored by Natanael Copa's avatar Natanael Copa

main/glib: security fix for CVE-2019-12450

fixes #10578
parent eb465b6e
......@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=glib
pkgver=2.54.2
pkgrel=0
pkgrel=1
pkgdesc="Common C routines used by Gtk+ and other libs"
url="https://developer.gnome.org/glib/"
arch="all"
......@@ -14,10 +14,15 @@ depends_dev="perl python2 gettext-dev zlib-dev bzip2-dev libffi-dev
makedepends="$depends_dev pcre-dev"
source="https://download.gnome.org/sources/$pkgname/${pkgver%.*}/$pkgname-$pkgver.tar.xz
0001-gquark-fix-initialization-with-c-constructors.patch
CVE-2019-12450.patch
"
subpackages="$pkgname-dbg $pkgname-doc $pkgname-static $pkgname-dev $pkgname-lang $pkgname-bash-completion:bashcomp:noarch"
builddir="$srcdir"/$pkgname-$pkgver
# secfixes:
# 2.54.2-r1:
# - CVE-2019-12450
prepare() {
default_prepare
cd "$builddir"
......@@ -80,4 +85,5 @@ bashcomp() {
}
sha512sums="09ee6fa3a6f3f15af229bd789bef536e3570f36d1e4ce624a57e97c4040577f6baccd6ab5746257863ccf7173b558cfa753951d562a278f854e52604104ba7ee glib-2.54.2.tar.xz
32e5aca9a315fb985fafa0b4355e4498c1f877fc1f0b58ad4ac261fb9fbced9f026c7756a5f2af7d61ce756b55c8cd02811bb08df397040e93510056f073756b 0001-gquark-fix-initialization-with-c-constructors.patch"
32e5aca9a315fb985fafa0b4355e4498c1f877fc1f0b58ad4ac261fb9fbced9f026c7756a5f2af7d61ce756b55c8cd02811bb08df397040e93510056f073756b 0001-gquark-fix-initialization-with-c-constructors.patch
18f33b4902d1ec2595e17f6d686871445aaba3988c1f257a28892f5efcfdc79d6009d0bcf997791ab4f4f0eac9667a89cedca24261592b60b91627dd2d5ed79d CVE-2019-12450.patch"
From d8f8f4d637ce43f8699ba94c9b7648beda0ca174 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Thu, 23 May 2019 10:41:53 +0200
Subject: [PATCH] gfile: Limit access to files when copying
file_copy_fallback creates new files with default permissions and
set the correct permissions after the operation is finished. This
might cause that the files can be accessible by more users during
the operation than expected. Use G_FILE_CREATE_PRIVATE for the new
files to limit access to those files.
---
gio/gfile.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/gio/gfile.c b/gio/gfile.c
index 24b136d80..74b58047c 100644
--- a/gio/gfile.c
+++ b/gio/gfile.c
@@ -3284,12 +3284,12 @@ file_copy_fallback (GFile *source,
out = (GOutputStream*)_g_local_file_output_stream_replace (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
FALSE, NULL,
flags & G_FILE_COPY_BACKUP,
- G_FILE_CREATE_REPLACE_DESTINATION,
- info,
+ G_FILE_CREATE_REPLACE_DESTINATION |
+ G_FILE_CREATE_PRIVATE, info,
cancellable, error);
else
out = (GOutputStream*)_g_local_file_output_stream_create (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
- FALSE, 0, info,
+ FALSE, G_FILE_CREATE_PRIVATE, info,
cancellable, error);
}
else if (flags & G_FILE_COPY_OVERWRITE)
@@ -3297,12 +3297,13 @@ file_copy_fallback (GFile *source,
out = (GOutputStream *)g_file_replace (destination,
NULL,
flags & G_FILE_COPY_BACKUP,
- G_FILE_CREATE_REPLACE_DESTINATION,
+ G_FILE_CREATE_REPLACE_DESTINATION |
+ G_FILE_CREATE_PRIVATE,
cancellable, error);
}
else
{
- out = (GOutputStream *)g_file_create (destination, 0, cancellable, error);
+ out = (GOutputStream *)g_file_create (destination, G_FILE_CREATE_PRIVATE, cancellable, error);
}
if (!out)
--
2.21.0
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment