* [PATCH 1/1] glib-2.0: Fix CVE-2019-12450
@ 2019-06-19 21:16 Joe Slater
2019-06-19 21:30 ` ✗ patchtest: failure for " Patchwork
0 siblings, 1 reply; 2+ messages in thread
From: Joe Slater @ 2019-06-19 21:16 UTC (permalink / raw)
To: openembedded-core
Unchanged patch from glib.git which was added after current release.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
---
.../glib-2.0/glib-2.0/CVE-2019-12450.patch | 62 ++++++++++++++++++++++
meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb | 1 +
2 files changed, 63 insertions(+)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch
new file mode 100644
index 0000000..59e4919
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch
@@ -0,0 +1,62 @@
+glib-2.0: fix CVE-2019-12450
+
+Not in release 2.61.1.
+
+CVE: CVE-2019-12450
+
+Upstream-Status: Backport [github.com/GNOME/glib.git]
+Signed-off-by: Joe Slater <joe.slater@windrivere.com>
+---
+From d8f8f4d637ce43f8699ba94c9b7648beda0ca174 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 23 May 2019 10:41:53 +0200
+Subject: [PATCH] gfile: Limit access to files when copying
+
+file_copy_fallback creates new files with default permissions and
+set the correct permissions after the operation is finished. This
+might cause that the files can be accessible by more users during
+the operation than expected. Use G_FILE_CREATE_PRIVATE for the new
+files to limit access to those files.
+---
+ gio/gfile.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/gio/gfile.c b/gio/gfile.c
+index 24b136d80..74b58047c 100644
+--- a/gio/gfile.c
++++ b/gio/gfile.c
+@@ -3284,12 +3284,12 @@ file_copy_fallback (GFile *source,
+ out = (GOutputStream*)_g_local_file_output_stream_replace (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
+ FALSE, NULL,
+ flags & G_FILE_COPY_BACKUP,
+- G_FILE_CREATE_REPLACE_DESTINATION,
+- info,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE, info,
+ cancellable, error);
+ else
+ out = (GOutputStream*)_g_local_file_output_stream_create (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
+- FALSE, 0, info,
++ FALSE, G_FILE_CREATE_PRIVATE, info,
+ cancellable, error);
+ }
+ else if (flags & G_FILE_COPY_OVERWRITE)
+@@ -3297,12 +3297,13 @@ file_copy_fallback (GFile *source,
+ out = (GOutputStream *)g_file_replace (destination,
+ NULL,
+ flags & G_FILE_COPY_BACKUP,
+- G_FILE_CREATE_REPLACE_DESTINATION,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE,
+ cancellable, error);
+ }
+ else
+ {
+- out = (GOutputStream *)g_file_create (destination, 0, cancellable, error);
++ out = (GOutputStream *)g_file_create (destination, G_FILE_CREATE_PRIVATE, cancellable, error);
+ }
+
+ if (!out)
+--
+2.17.1
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb
index f4ade09..8b22bda 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb
@@ -16,6 +16,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://0001-Do-not-write-bindir-into-pkg-config-files.patch \
file://0001-meson.build-do-not-hardcode-linux-as-the-host-system.patch \
file://0001-meson-do-a-build-time-check-for-strlcpy-before-attem.patch \
+ file://CVE-2019-12450.patch \
file://glib-meson.cross \
"
--
2.7.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* ✗ patchtest: failure for glib-2.0: Fix CVE-2019-12450
2019-06-19 21:16 [PATCH 1/1] glib-2.0: Fix CVE-2019-12450 Joe Slater
@ 2019-06-19 21:30 ` Patchwork
0 siblings, 0 replies; 2+ messages in thread
From: Patchwork @ 2019-06-19 21:30 UTC (permalink / raw)
To: Slater, Joseph; +Cc: openembedded-core
== Series Details ==
Series: glib-2.0: Fix CVE-2019-12450
Revision: 1
URL : https://patchwork.openembedded.org/series/18255/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Issue Series does not apply on top of target branch [test_series_merge_on_head]
Suggested fix Rebase your series on top of targeted branch
Targeted branch master (currently at 2106a56782)
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-06-19 21:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-19 21:16 [PATCH 1/1] glib-2.0: Fix CVE-2019-12450 Joe Slater
2019-06-19 21:30 ` ✗ patchtest: failure for " Patchwork
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox