Bug 1139959 - (CVE-2019-13012) VUL-0: CVE-2019-13012: glib2: improper restriction of file permissions when creating directories
(CVE-2019-13012)
VUL-0: CVE-2019-13012: glib2: improper restriction of file permissions when c...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/235867/
CVSSv3:SUSE:CVE-2019-13012:8.1:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-01 17:18 UTC by Alexandros Toptsoglou
Modified: 2019-08-17 14:36 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-07-01 17:18:46 UTC
CVE-2019-13012

The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.59.1 creates
directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and
files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE,
G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it does not
properly restrict directory (and file) permissions. Instead, for directories,
0777 permissions are used; for files, default file permissions are used. This is
similar to CVE-2019-12450.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13012
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13012
http://www.cvedetails.com/cve/CVE-2019-13012/
https://gitlab.gnome.org/GNOME/glib/commit/5e4da714f00f6bfb2ccd6d73d61329c6f3a08429
https://gitlab.gnome.org/GNOME/glib/issues/1658
https://gitlab.gnome.org/GNOME/glib/merge_requests/450
Comment 2 Alexandros Toptsoglou 2019-07-02 08:30:40 UTC
The fix is contained in versions 2.60 and on. The commit which fixes the issue can be found at [1]. The issue seems that it is introduced with commit at [2] in version 2.25.10 Based on this SLE12, SLE12-SP2 and SLE15 are affected. 


[1] https://gitlab.gnome.org/GNOME/glib/commit/5e4da714f00f6bfb2ccd6d73d61329c6f3a08429
[2]https://gitlab.gnome.org/GNOME/glib/commit/65fc931fb9df391a8a7ff8e279820fd2fed04bc0
Comment 7 Swamp Workflow Management 2019-07-12 13:10:57 UTC
SUSE-SU-2019:1824-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1139959
CVE References: CVE-2019-13012
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    glib2-2.38.2-7.12.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    glib2-2.38.2-7.12.1
SUSE Linux Enterprise Server 12-LTSS (src):    glib2-2.38.2-7.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-07-12 19:13:09 UTC
SUSE-SU-2019:1833-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1139959
CVE References: CVE-2019-13012
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    glib2-2.54.3-4.18.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    glib2-2.54.3-4.18.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    glib2-2.54.3-4.18.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    glib2-2.54.3-4.18.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    glib2-2.54.3-4.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-07-12 19:14:36 UTC
SUSE-SU-2019:1830-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1139959,1140122
CVE References: CVE-2019-13012
Sources used:
SUSE OpenStack Cloud 8 (src):    glib2-2.48.2-12.15.1
SUSE OpenStack Cloud 7 (src):    glib2-2.48.2-12.15.1
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    glib2-2.48.2-12.15.1
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    glib2-2.48.2-12.15.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    glib2-2.48.2-12.15.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    glib2-2.48.2-12.15.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    glib2-2.48.2-12.15.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    glib2-2.48.2-12.15.1
SUSE Linux Enterprise Server 12-SP5 (src):    glib2-2.48.2-12.15.1
SUSE Linux Enterprise Server 12-SP4 (src):    glib2-2.48.2-12.15.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    glib2-2.48.2-12.15.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    glib2-2.48.2-12.15.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    glib2-2.48.2-12.15.1
SUSE Linux Enterprise Desktop 12-SP5 (src):    glib2-2.48.2-12.15.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    glib2-2.48.2-12.15.1
SUSE Enterprise Storage 5 (src):    glib2-2.48.2-12.15.1
SUSE Enterprise Storage 4 (src):    glib2-2.48.2-12.15.1
SUSE CaaS Platform 3.0 (src):    glib2-2.48.2-12.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2019-07-20 10:12:58 UTC
openSUSE-SU-2019:1749-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1139959
CVE References: CVE-2019-13012
Sources used:
openSUSE Leap 15.0 (src):    glib2-2.54.3-lp150.3.13.1
Comment 11 Marcus Meissner 2019-07-26 12:37:55 UTC
done
Comment 12 Swamp Workflow Management 2019-08-16 22:15:05 UTC
SUSE-SU-2019:1830-2: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1139959,1140122
CVE References: CVE-2019-13012
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    glib2-2.48.2-12.15.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    glib2-2.48.2-12.15.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    glib2-2.48.2-12.15.1
SUSE Enterprise Storage 5 (src):    glib2-2.48.2-12.15.1
HPE Helion Openstack 8 (src):    glib2-2.48.2-12.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.