[OE-core] [v2][oe-core][PATCH 1/1] glib-2.0: Fix CVE-2019-12450
Burton, Ross
ross.burton at intel.com
Mon Jun 24 12:28:36 UTC 2019
Will you be backporting this to Warrior and Thud?
Ross
On Thu, 20 Jun 2019 at 18:45, Joe Slater <joe.slater at windriver.com> wrote:
>
> Unchanged patch from glib.git which was added after current release.
>
> Signed-off-by: Joe Slater <joe.slater at windriver.com>
> ---
> .../glib-2.0/glib-2.0/CVE-2019-12450.patch | 62 ++++++++++++++++++++++
> meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb | 1 +
> 2 files changed, 63 insertions(+)
> create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch
>
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch
> new file mode 100644
> index 0000000..59e4919
> --- /dev/null
> +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch
> @@ -0,0 +1,62 @@
> +glib-2.0: fix CVE-2019-12450
> +
> +Not in release 2.61.1.
> +
> +CVE: CVE-2019-12450
> +
> +Upstream-Status: Backport [github.com/GNOME/glib.git]
> +Signed-off-by: Joe Slater <joe.slater at windrivere.com>
> +---
> +From d8f8f4d637ce43f8699ba94c9b7648beda0ca174 Mon Sep 17 00:00:00 2001
> +From: Ondrej Holy <oholy at redhat.com>
> +Date: Thu, 23 May 2019 10:41:53 +0200
> +Subject: [PATCH] gfile: Limit access to files when copying
> +
> +file_copy_fallback creates new files with default permissions and
> +set the correct permissions after the operation is finished. This
> +might cause that the files can be accessible by more users during
> +the operation than expected. Use G_FILE_CREATE_PRIVATE for the new
> +files to limit access to those files.
> +---
> + gio/gfile.c | 11 ++++++-----
> + 1 file changed, 6 insertions(+), 5 deletions(-)
> +
> +diff --git a/gio/gfile.c b/gio/gfile.c
> +index 24b136d80..74b58047c 100644
> +--- a/gio/gfile.c
> ++++ b/gio/gfile.c
> +@@ -3284,12 +3284,12 @@ file_copy_fallback (GFile *source,
> + out = (GOutputStream*)_g_local_file_output_stream_replace (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
> + FALSE, NULL,
> + flags & G_FILE_COPY_BACKUP,
> +- G_FILE_CREATE_REPLACE_DESTINATION,
> +- info,
> ++ G_FILE_CREATE_REPLACE_DESTINATION |
> ++ G_FILE_CREATE_PRIVATE, info,
> + cancellable, error);
> + else
> + out = (GOutputStream*)_g_local_file_output_stream_create (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
> +- FALSE, 0, info,
> ++ FALSE, G_FILE_CREATE_PRIVATE, info,
> + cancellable, error);
> + }
> + else if (flags & G_FILE_COPY_OVERWRITE)
> +@@ -3297,12 +3297,13 @@ file_copy_fallback (GFile *source,
> + out = (GOutputStream *)g_file_replace (destination,
> + NULL,
> + flags & G_FILE_COPY_BACKUP,
> +- G_FILE_CREATE_REPLACE_DESTINATION,
> ++ G_FILE_CREATE_REPLACE_DESTINATION |
> ++ G_FILE_CREATE_PRIVATE,
> + cancellable, error);
> + }
> + else
> + {
> +- out = (GOutputStream *)g_file_create (destination, 0, cancellable, error);
> ++ out = (GOutputStream *)g_file_create (destination, G_FILE_CREATE_PRIVATE, cancellable, error);
> + }
> +
> + if (!out)
> +--
> +2.17.1
> +
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb
> index bb77294..5942241 100644
> --- a/meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb
> +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb
> @@ -16,6 +16,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
> file://0001-Do-not-write-bindir-into-pkg-config-files.patch \
> file://0001-meson.build-do-not-hardcode-linux-as-the-host-system.patch \
> file://0001-meson-do-a-build-time-check-for-strlcpy-before-attem.patch \
> + file://CVE-2019-12450.patch \
> "
>
> SRC_URI_append_class-native = " file://relocate-modules.patch"
> --
> 2.7.4
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
More information about the Openembedded-core
mailing list