Bug#933877: glib2.0: Suspected memory leak in jessie-lts backport of fix for CVE-2019-13012

Mon Aug 5 08:25:32 BST 2019

Hi Simon,

Am Sonntag, 4. August 2019 schrieb Simon McVittie:
> Source: glib2.0
> Version: 2.42.1-1+deb8u2
> Severity: normal
> Tags: jessie
> 
> (This is only from source code inspection, not tested in real use -
> I don't use jessie any more.)
> 
> While looking into a possible stretch update for CVE-2018-16429,
> CVE-2019-12450, CVE-2018-16428 and CVE-2019-13012, I compared my backports
> of the fixes for those vulnerabilities with the ones in jessie-lts to try
> to double-check that I had done them right.
> 
> The upstream fix for CVE-2019-13012 included this change:
> 
> - g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
> + g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700);
> 
> However, g_file_peek_path() was only introduced in GLib 2.56, so that
> won't work for stretch or jessie. The backport in the jessie-lts package
> has this instead:
> 
> - g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
> + g_mkdir_with_parents (g_file_get_path (kfsb->dir), 0700);
> 
> This is not equivalent. The difference between g_file_peek_path() and the
> older g_file_get_path() is that g_file_get_path() makes a copy, which must
> be freed with g_free() after use. As a result, there is now a memory leak.
> 
> A non-leaky backport would look something like this, which is what I've
> done in a proposed backport for Debian 9 'stretch' at
> <https://salsa.debian.org/gnome-team/glib/merge_requests/7>:
> 
> + char *dir;
> ...
> - g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
> + dir = g_file_get_path (kfsb->dir);
> + g_mkdir_with_parents (dir, 0700);
> + g_free (dir);
> 
> The Ubuntu xenial update appears to have the same bug:
> https://bugs.launchpad.net/ubuntu/+source/glib2.0/+bug/1838890
> 
> Regards,
>     smcv
>

Thanks for letting us (LTS team) know. Will provide a fix tonight for LTS/ELTS.

Mike

-- 
Gesendet von meinem Fairphone2 (powered by Sailfish OS).