Bug#931234: glib2.0: CVE-2019-13012: keyfile settings backend: Consider tightening permissions

Salvatore Bonaccorso carnil at debian.org
Sat Jul 27 13:13:34 BST 2019 

Hi Simon,

On Sat, Jul 27, 2019 at 11:37:48AM +0100, Simon McVittie wrote:
> Version: 2.60.0-1
> 
> On Fri, 28 Jun 2019 at 19:41:46 +0200, Salvatore Bonaccorso wrote:
> > Please adjust the affected versions in the BTS as needed.
> 
> This was already fixed in unstable. I'm fixing the FTBFS now so that the
> fixed version can migrate to testing.

Jupp, it was as well already marked as such in the BTS, but for the
security-tracker itself we track as well the first entering in
unstable. I just have updated the information there, thank you for the
heads up.

> Mitigations:
> 
> * The keyfile settings backend was added in 2.25.x, but would not
>   be automatically used via the GSettings extension point until 2.59.1,
>   so it would only be used by apps that explicitly use it. There are a few
>   such apps but they are a minority:
>   https://codesearch.debian.net/search?q=g_keyfile_settings_backend_new&perpkg=1
>   Tracker is probably the most interesting/dangerous/widely installed.
> 
> * If some other software, such as dconf, has already created the
>   freedesktop.org per-user configuration directory ($XDG_CONFIG_HOME or
>   ~/.config), then it will usually have the 0700 permissions required
>   by the freedesktop.org Base Directory spec, preventing other users
>   from accessing the settings.
> 
> * I think the umask is respected, so the vulnerability report says 0777
>   but in practice the permissions will usually be 0755 or 0750.
> 
> Security team: for stable, bearing those mitigations in mind, do you
> want to do a DSA or is this point-release material?

I think this can safely go via a point release then. Are you planning
to do both the buster and stretch one? If as well the later, there
seem some other CVEs which previously were marked no-dsa for stretch.
If you think any of those might be sensible to include as well then
please feel free to include those as well.

> > The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.59.1
> > [has this vulnerability]
> 
> FYI, this is misleading: 2.59.1, 2.59.2 and 2.59.3 appear to have been
> vulnerable too, and 2.60.0 was the first fixed upstream version (but
> nobody should use 2.59.x without planning to upgrade to 2.60.0 anyway,
> because GNOME has an odd/even unstable/stable branching model).

Yes right the above was just what comes directly from the MITRE
description and should always be taken only as reference but not as
absolute (sometimes the description only matches a specific
understanding fixed point in time, and needs revisiting later etc
...).

I filled via the cveform a request to please update the description.

Regards,
Salvatore

More information about the pkg-gnome-maintainers mailing list