Bug#931234: glib2.0: CVE-2019-13012: keyfile settings backend: Consider tightening permissions
Simon McVittie
smcv at debian.org
Tue Jul 30 11:21:09 BST 2019
On Sat, 27 Jul 2019 at 14:13:34 +0200, Salvatore Bonaccorso wrote:
> On Sat, Jul 27, 2019 at 11:37:48AM +0100, Simon McVittie wrote:
> > Security team: for stable, bearing those mitigations in mind, do you
> > want to do a DSA or is this point-release material?
>
> I think this can safely go via a point release then. Are you planning
> to do both the buster and stretch one? If as well the later, there
> seem some other CVEs which previously were marked no-dsa for stretch.
> If you think any of those might be sensible to include as well then
> please feel free to include those as well.
I don't have any local stretch machines any more except for test VMs,
so I can't do a whole lot of testing for stretch point releases. As a
result I'm only preparing a buster version at the moment.
If I do a stretch version later, then I'll look at whether the other
no-dsa CVEs are unintrusive enough to fix.
Simple reproducer for this one attached (requires python3-gi and
gsettings-desktop-schemas).
smcv
-------------- next part --------------
#!/usr/bin/python3
import os
import subprocess
import tempfile
import time
with tempfile.TemporaryDirectory() as tmp:
os.chmod(tmp, 0o755)
os.umask(0o002)
d = os.path.join(tmp, 'config')
f = os.path.join(d, 'test.cfg')
from gi.repository import Gio
backend = Gio.keyfile_settings_backend_new(f, '/', 'root')
settings = Gio.Settings.new_with_backend('org.gnome.desktop.background', backend)
settings.set_int('picture-opacity', 42)
subprocess.call(['find', tmp, '-ls'])
assert os.path.exists(d)
assert (os.stat(d).st_mode & 0o7777) == 0o700, os.stat(d)
assert os.path.exists(f)
assert (os.stat(f).st_mode & 0o7777) == 0o600, os.stat(f)
More information about the pkg-gnome-maintainers
mailing list