CVE-2019-13012

Published: 28 June 2019

The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it does not properly restrict directory (and file) permissions. Instead, for directories, 0777 permissions are used; for files, default file permissions are used. This is similar to CVE-2019-12450.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
glib2.0
Launchpad, Ubuntu, Debian
Upstream
Released (2.59.1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.56.4-0ubuntu0.18.04.4)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (2.48.2-0ubuntu4.4)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.40.2-0ubuntu1.1+esm3)
Patches:
Upstream: https://gitlab.gnome.org/GNOME/glib/commit/5e4da714f00f6bfb2ccd6d73d61329c6f3a08429
Upstream: https://gitlab.gnome.org/GNOME/glib/commit/54317c9118bfffa4e9390945f88e63addc1cb69c