StarlingX

CVE-2019-12450: glib2: file_copy_fallback does not restrict file permissions

Bug #1902995 reported by Ghada Khalil on 2020-11-05

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Michel Thebeau [WIND]

Bug Description

CVE-2019-12450: glib2: file_copy_fallback does not restrict file permissions
CVSSv2: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Description:
file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.

References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12450
https://access.redhat.com/errata/RHSA-2020:3978
https://lists.centos.org/pipermail/centos-cr-announce/2020-October/012712.html

Required package version:
glib2-2.56.1-7.el7

Tags:

CVE References

2019-12450

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-11-05:

Applicable to stx master (aka stx.5.0) as well as stx.4.0.
The process is to address the CVE in stx master first and then cherrypick to the appropriate release branches after some soak time.

tags:	added: stx.4.0 stx.5.0 stx.security
Changed in starlingx:
importance:	Undecided → Medium
status:	New → Triaged
assignee:	nobody → Michel Thebeau [WIND] (mthebeau)
importance:	Medium → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-11-05: Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/761682

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-11-05:

Fix proposed to branch: master
Review: https://review.opendev.org/761684

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-11-05: Change abandoned on tools (master)

Change abandoned by Michel Thebeau (WIND) (<email address hidden>) on branch: master
Review: https://review.opendev.org/761684

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-11-05:

Change abandoned by Michel Thebeau (WIND) (<email address hidden>) on branch: master
Review: https://review.opendev.org/761682

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-11-06: Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/761688

Revision history for this message

Michel Thebeau [WIND] (mthebeau) wrote on 2020-11-27:

Merged as: https://review.opendev.org/plugins/gitiles/starlingx/tools/+/5da494a63175c6c871967d386803a90b71eb00cd

Revision history for this message

Michel Thebeau [WIND] (mthebeau) wrote on 2020-11-27:

Reviewed: https://review.opendev.org/c/starlingx/tools/+/761688/
Committed: https://opendev.org/starlingx/tools/commit/5da494a63175c6c871967d386803a90b71eb00cd
Submitter: Zuul
Branch: master

commit 5da494a63175c6c871967d386803a90b71eb00cd
Author: Michel Thebeau <email address hidden>
Date: Mon Nov 2 16:03:54 2020 -0500

glib2: CVE-2019-12450: fix file_copy_fallback

Fix file_copy_fallback does not restrict file permissions.

    Fix is provided by Centos RPMs:
    glib2-2.56.1-7.el7.x86_64.rpm
    glib2-devel-2.56.1-7.el7.x86_64.rpm
    glib2-doc-2.56.1-7.el7.noarch.rpm

Test:
Build. Deploy AIO-SX. Run reproducer.

    Closes-Bug: 1902995
    Change-Id: Ie1545c462f27b38737071a1e211164a8e0b3a0d0
    Signed-off-by: Michel Thebeau <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Revision history for this message

Michel Thebeau [WIND] (mthebeau) wrote on 2020-11-27:

Fix proposed to branch: r/stx.4.0
Review: https://review.opendev.org/c/starlingx/tools/+/764315

Revision history for this message

Michel Thebeau [WIND] (mthebeau) wrote on 2020-12-02:

#10

Reviewed: https://review.opendev.org/c/starlingx/tools/+/764315
Committed: https://review.opendev.org/plugins/gitiles/starlingx/tools/+/a89ed2d8e3af79590a6480c977cad6e14d600120
Submitter: Zuul
Branch: r/stx.4.0

commit a89ed2d8e3af79590a6480c977cad6e14d600120
Author: Michel Thebeau <email address hidden>
Date: Mon Nov 2 16:03:54 2020 -0500

glib2: CVE-2019-12450: fix file_copy_fallback

Fix file_copy_fallback does not restrict file permissions.

    Fix is provided by Centos RPMs:
    glib2-2.56.1-7.el7.x86_64.rpm
    glib2-devel-2.56.1-7.el7.x86_64.rpm
    glib2-doc-2.56.1-7.el7.noarch.rpm

Test:
Build. Deploy AIO-SX. Run reproducer.

    Closes-Bug: 1902995
    Change-Id: Ie1545c462f27b38737071a1e211164a8e0b3a0d0
    Signed-off-by: Michel Thebeau <email address hidden>
    (cherry picked from commit 5da494a63175c6c871967d386803a90b71eb00cd)

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.