Your submission was sent successfully! Close

CVE-2019-13012

Published: 28 June 2019

The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it does not properly restrict directory (and file) permissions. Instead, for directories, 0777 permissions are used; for files, default file permissions are used. This is similar to CVE-2019-12450.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
glib2.0
Launchpad, Ubuntu, Debian
bionic
Released (2.56.4-0ubuntu0.18.04.4)
cosmic
Released (2.58.1-2ubuntu0.2)
disco Not vulnerable
(2.60.4-0ubuntu0.19.04.1)
precise
Released (2.32.4-0ubuntu1.4)
trusty
Released (2.40.2-0ubuntu1.1+esm3)
upstream
Released (2.59.1)
xenial
Released (2.48.2-0ubuntu4.4)
Patches:
upstream: https://gitlab.gnome.org/GNOME/glib/commit/5e4da714f00f6bfb2ccd6d73d61329c6f3a08429
upstream: https://gitlab.gnome.org/GNOME/glib/commit/54317c9118bfffa4e9390945f88e63addc1cb69c