Security update for glib2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1749-1 Final 1 1 2019-07-20T06:24:56Z current 2019-07-20T06:24:56Z 2019-07-20T06:24:56Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for glib2 This update for glib2 fixes the following issues: Security issue fixed: - CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1749 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/P4Q5FLIIIASUFXCZVQ2FQXKTP5CESIVQ/#P4Q5FLIIIASUFXCZVQ2FQXKTP5CESIVQ E-Mail link for openSUSE-SU-2019:1749-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1139959 SUSE Bug 1139959 https://www.suse.com/security/cve/CVE-2019-13012/ SUSE CVE CVE-2019-13012 page openSUSE Leap 15.0 gio-branding-upstream-2.54.3-lp150.3.13.1 glib2-devel-2.54.3-lp150.3.13.1 glib2-devel-32bit-2.54.3-lp150.3.13.1 glib2-devel-static-2.54.3-lp150.3.13.1 glib2-lang-2.54.3-lp150.3.13.1 glib2-tools-2.54.3-lp150.3.13.1 glib2-tools-32bit-2.54.3-lp150.3.13.1 libgio-2_0-0-2.54.3-lp150.3.13.1 libgio-2_0-0-32bit-2.54.3-lp150.3.13.1 libgio-fam-2.54.3-lp150.3.13.1 libgio-fam-32bit-2.54.3-lp150.3.13.1 libglib-2_0-0-2.54.3-lp150.3.13.1 libglib-2_0-0-32bit-2.54.3-lp150.3.13.1 libgmodule-2_0-0-2.54.3-lp150.3.13.1 libgmodule-2_0-0-32bit-2.54.3-lp150.3.13.1 libgobject-2_0-0-2.54.3-lp150.3.13.1 libgobject-2_0-0-32bit-2.54.3-lp150.3.13.1 libgthread-2_0-0-2.54.3-lp150.3.13.1 libgthread-2_0-0-32bit-2.54.3-lp150.3.13.1 gio-branding-upstream-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 glib2-devel-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 glib2-devel-32bit-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 glib2-devel-static-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 glib2-lang-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 glib2-tools-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 glib2-tools-32bit-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 libgio-2_0-0-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 libgio-2_0-0-32bit-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 libgio-fam-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 libgio-fam-32bit-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 libglib-2_0-0-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 libglib-2_0-0-32bit-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 libgmodule-2_0-0-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 libgmodule-2_0-0-32bit-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 libgobject-2_0-0-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 libgobject-2_0-0-32bit-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 libgthread-2_0-0-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 libgthread-2_0-0-32bit-2.54.3-lp150.3.13.1 as a component of openSUSE Leap 15.0 The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it does not properly restrict directory (and file) permissions. Instead, for directories, 0777 permissions are used; for files, default file permissions are used. This is similar to CVE-2019-12450. CVE-2019-13012 openSUSE Leap 15.0:gio-branding-upstream-2.54.3-lp150.3.13.1 openSUSE Leap 15.0:glib2-devel-2.54.3-lp150.3.13.1 openSUSE Leap 15.0:glib2-devel-32bit-2.54.3-lp150.3.13.1 openSUSE Leap 15.0:glib2-devel-static-2.54.3-lp150.3.13.1 openSUSE Leap 15.0:glib2-lang-2.54.3-lp150.3.13.1 openSUSE Leap 15.0:glib2-tools-2.54.3-lp150.3.13.1 openSUSE Leap 15.0:glib2-tools-32bit-2.54.3-lp150.3.13.1 openSUSE Leap 15.0:libgio-2_0-0-2.54.3-lp150.3.13.1 openSUSE Leap 15.0:libgio-2_0-0-32bit-2.54.3-lp150.3.13.1 openSUSE Leap 15.0:libgio-fam-2.54.3-lp150.3.13.1 openSUSE Leap 15.0:libgio-fam-32bit-2.54.3-lp150.3.13.1 openSUSE Leap 15.0:libglib-2_0-0-2.54.3-lp150.3.13.1 openSUSE Leap 15.0:libglib-2_0-0-32bit-2.54.3-lp150.3.13.1 openSUSE Leap 15.0:libgmodule-2_0-0-2.54.3-lp150.3.13.1 openSUSE Leap 15.0:libgmodule-2_0-0-32bit-2.54.3-lp150.3.13.1 openSUSE Leap 15.0:libgobject-2_0-0-2.54.3-lp150.3.13.1 openSUSE Leap 15.0:libgobject-2_0-0-32bit-2.54.3-lp150.3.13.1 openSUSE Leap 15.0:libgthread-2_0-0-2.54.3-lp150.3.13.1 openSUSE Leap 15.0:libgthread-2_0-0-32bit-2.54.3-lp150.3.13.1 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/P4Q5FLIIIASUFXCZVQ2FQXKTP5CESIVQ/#P4Q5FLIIIASUFXCZVQ2FQXKTP5CESIVQ https://www.suse.com/security/cve/CVE-2019-13012.html CVE-2019-13012 https://bugzilla.suse.com/1139959 SUSE Bug 1139959 https://bugzilla.suse.com/1142126 SUSE Bug 1142126