Bug#931234: glib2.0: CVE-2019-13012: keyfile settings backend: Consider tightening permissions

Simon McVittie smcv at debian.org
Tue Jul 30 11:21:09 BST 2019

On Sat, 27 Jul 2019 at 14:13:34 +0200, Salvatore Bonaccorso wrote:
> On Sat, Jul 27, 2019 at 11:37:48AM +0100, Simon McVittie wrote:
> > Security team: for stable, bearing those mitigations in mind, do you
> > want to do a DSA or is this point-release material?
> I think this can safely go via a point release then. Are you planning
> to do both the buster and stretch one? If as well the later, there
> seem some other CVEs which previously were marked no-dsa for stretch.
> If you think any of those might be sensible to include as well then
> please feel free to include those as well.

I don't have any local stretch machines any more except for test VMs,
so I can't do a whole lot of testing for stretch point releases. As a
result I'm only preparing a buster version at the moment.

If I do a stretch version later, then I'll look at whether the other
no-dsa CVEs are unintrusive enough to fix.

Simple reproducer for this one attached (requires python3-gi and

-------------- next part --------------

import os
import subprocess
import tempfile
import time

with tempfile.TemporaryDirectory() as tmp:
    os.chmod(tmp, 0o755)
    d = os.path.join(tmp, 'config')
    f = os.path.join(d, 'test.cfg')

    from gi.repository import Gio

    backend = Gio.keyfile_settings_backend_new(f, '/', 'root')
    settings = Gio.Settings.new_with_backend('org.gnome.desktop.background', backend)
    settings.set_int('picture-opacity', 42)

    subprocess.call(['find', tmp, '-ls'])

    assert os.path.exists(d)
    assert (os.stat(d).st_mode & 0o7777) == 0o700, os.stat(d)
    assert os.path.exists(f)
    assert (os.stat(f).st_mode & 0o7777) == 0o600, os.stat(f)

More information about the pkg-gnome-maintainers mailing list