Bug 1137001 - (CVE-2019-12450) VUL-0: CVE-2019-12450: glib2: file_copy_fallback in gio/gfile.c does not properly restrict file permissions while a copy operation is in progress
(CVE-2019-12450)
VUL-0: CVE-2019-12450: glib2: file_copy_fallback in gio/gfile.c does not prop...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/233990/
CVSSv2:NVD:CVE-2019-12450:7.5:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-05-31 15:08 UTC by Alexandros Toptsoglou
Modified: 2019-09-04 05:56 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-05-31 15:08:46 UTC
CVE-2019-12450

file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not
properly restrict file permissions while a copy operation is in progress.
Instead, default permissions are used.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12450
https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174
Comment 1 Alexandros Toptsoglou 2019-05-31 16:10:16 UTC
All codestreams except for SLE10-SP3 tracked as affected. Fix is available at [1] 

[1] https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174
Comment 2 Alexandros Toptsoglou 2019-05-31 16:12:06 UTC
More information: 

too lax permissions while copy is in progress
file_copy_fallback creates the destination file with default umask,
copies the data, and only then sets up the correct owner, group and
mode. So files may be accessible to other users while the copy is
happening. In the 4 different program paths that create the destination
file (calls to _g_local_file_output_stream_replace,
_g_local_file_output_stream_create, g_file_replace, g_file_create),
none specify G_FILE_CREATE_PRIVATE. The first two at least copy the
mode from the source file, but that still results in a too lax file
permissions when the program has different credentials than the source
file, e.g.:

A user with uid:gid=foo:staff starts a copy of a file with mode 0660
and owned foo:privileged to a network mount. During the copy, everybody
in the 'staff' group gets access to the file instead of only people in
the 'privileged' group.
Comment 6 Swamp Workflow Management 2019-06-21 13:26:05 UTC
SUSE-SU-2019:1594-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1103678,1137001
CVE References: CVE-2019-12450
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    glib2-2.54.3-4.15.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    glib2-2.54.3-4.15.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    glib2-2.54.3-4.15.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    glib2-2.54.3-4.15.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    glib2-2.54.3-4.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-06-21 13:50:53 UTC
SUSE-SU-2019:1596-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1107116,1107121,1111499,1137001
CVE References: CVE-2018-16428,CVE-2018-16429,CVE-2019-12450
Sources used:
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    glib2-2.38.2-7.9.2
SUSE Linux Enterprise Server 12-LTSS (src):    glib2-2.38.2-7.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-06-24 13:26:07 UTC
SUSE-SU-2019:14102-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1137001
CVE References: CVE-2019-12450
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    glib2-2.22.5-0.8.39.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    glib2-2.22.5-0.8.39.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    glib2-2.22.5-0.8.39.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    glib2-2.22.5-0.8.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-06-27 10:24:52 UTC
openSUSE-SU-2019:1650-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1103678,1137001
CVE References: CVE-2019-12450
Sources used:
openSUSE Leap 15.0 (src):    glib2-2.54.3-lp150.3.10.1
Comment 10 Swamp Workflow Management 2019-07-02 13:15:00 UTC
SUSE-SU-2019:1722-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1061599,1107116,1107121,1137001
CVE References: CVE-2018-16428,CVE-2018-16429,CVE-2019-12450
Sources used:
SUSE OpenStack Cloud 7 (src):    glib2-2.48.2-12.12.2
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    glib2-2.48.2-12.12.2
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    glib2-2.48.2-12.12.2
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    glib2-2.48.2-12.12.2
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    glib2-2.48.2-12.12.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    glib2-2.48.2-12.12.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    glib2-2.48.2-12.12.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    glib2-2.48.2-12.12.2
SUSE Linux Enterprise Server 12-SP5 (src):    glib2-2.48.2-12.12.2
SUSE Linux Enterprise Server 12-SP4 (src):    glib2-2.48.2-12.12.2
SUSE Linux Enterprise Server 12-SP3 (src):    glib2-2.48.2-12.12.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    glib2-2.48.2-12.12.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    glib2-2.48.2-12.12.2
SUSE Linux Enterprise Desktop 12-SP5 (src):    glib2-2.48.2-12.12.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    glib2-2.48.2-12.12.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    glib2-2.48.2-12.12.2
SUSE Enterprise Storage 4 (src):    glib2-2.48.2-12.12.2
SUSE CaaS Platform 3.0 (src):    glib2-2.48.2-12.12.2
OpenStack Cloud Magnum Orchestration 7 (src):    glib2-2.48.2-12.12.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Marcus Meissner 2019-09-04 05:56:28 UTC
released