Added a upstream patch to fix the CVE
Change-Id: I596011b0f7c03ceb020d97bcdfd91639b11d5d26
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/7361
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,53 @@ |
0 |
+From d8f8f4d637ce43f8699ba94c9b7648beda0ca174 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Ondrej Holy <oholy@redhat.com> |
|
2 |
+Date: Thu, 23 May 2019 10:41:53 +0200 |
|
3 |
+Subject: [PATCH] gfile: Limit access to files when copying |
|
4 |
+ |
|
5 |
+file_copy_fallback creates new files with default permissions and |
|
6 |
+set the correct permissions after the operation is finished. This |
|
7 |
+might cause that the files can be accessible by more users during |
|
8 |
+the operation than expected. Use G_FILE_CREATE_PRIVATE for the new |
|
9 |
+files to limit access to those files. |
|
10 |
+--- |
|
11 |
+ gio/gfile.c | 11 ++++++----- |
|
12 |
+ 1 file changed, 6 insertions(+), 5 deletions(-) |
|
13 |
+ |
|
14 |
+diff --git a/gio/gfile.c b/gio/gfile.c |
|
15 |
+index 24b136d80..74b58047c 100644 |
|
16 |
+--- a/gio/gfile.c |
|
17 |
+@@ -3284,12 +3284,12 @@ file_copy_fallback (GFile *source, |
|
18 |
+ out = (GOutputStream*)_g_local_file_output_stream_replace (_g_local_file_get_filename (G_LOCAL_FILE (destination)), |
|
19 |
+ FALSE, NULL, |
|
20 |
+ flags & G_FILE_COPY_BACKUP, |
|
21 |
+- G_FILE_CREATE_REPLACE_DESTINATION, |
|
22 |
+- info, |
|
23 |
++ G_FILE_CREATE_REPLACE_DESTINATION | |
|
24 |
++ G_FILE_CREATE_PRIVATE, info, |
|
25 |
+ cancellable, error); |
|
26 |
+ else |
|
27 |
+ out = (GOutputStream*)_g_local_file_output_stream_create (_g_local_file_get_filename (G_LOCAL_FILE (destination)), |
|
28 |
+- FALSE, 0, info, |
|
29 |
++ FALSE, G_FILE_CREATE_PRIVATE, info, |
|
30 |
+ cancellable, error); |
|
31 |
+ } |
|
32 |
+ else if (flags & G_FILE_COPY_OVERWRITE) |
|
33 |
+@@ -3297,12 +3297,13 @@ file_copy_fallback (GFile *source, |
|
34 |
+ out = (GOutputStream *)g_file_replace (destination, |
|
35 |
+ NULL, |
|
36 |
+ flags & G_FILE_COPY_BACKUP, |
|
37 |
+- G_FILE_CREATE_REPLACE_DESTINATION, |
|
38 |
++ G_FILE_CREATE_REPLACE_DESTINATION | |
|
39 |
++ G_FILE_CREATE_PRIVATE, |
|
40 |
+ cancellable, error); |
|
41 |
+ } |
|
42 |
+ else |
|
43 |
+ { |
|
44 |
+- out = (GOutputStream *)g_file_create (destination, 0, cancellable, error); |
|
45 |
++ out = (GOutputStream *)g_file_create (destination, G_FILE_CREATE_PRIVATE, cancellable, error); |
|
46 |
+ } |
|
47 |
+ |
|
48 |
+ if (!out) |
|
49 |
+-- |
|
50 |
+2.21.0 |
|
51 |
+ |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: Low-level libraries useful for providing data structure handling for C. |
2 | 2 |
Name: glib |
3 | 3 |
Version: 2.58.0 |
4 |
-Release: 2%{?dist} |
|
4 |
+Release: 3%{?dist} |
|
5 | 5 |
License: LGPLv2+ |
6 | 6 |
URL: https://developer.gnome.org/glib/ |
7 | 7 |
Group: Applications/System |
... | ... |
@@ -9,6 +9,7 @@ Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: http://ftp.gnome.org/pub/gnome/sources/glib/2.58/%{name}-%{version}.tar.xz |
11 | 11 |
%define sha1 glib=c00e433c56e0ba3541abc5222aeca4136de10fb8 |
12 |
+Patch0: glib-CVE-2019-12450.patch |
|
12 | 13 |
BuildRequires: pcre-devel |
13 | 14 |
BuildRequires: libffi-devel |
14 | 15 |
BuildRequires: pkg-config |
... | ... |
@@ -51,6 +52,8 @@ Gsettings schemas compiling tool |
51 | 51 |
|
52 | 52 |
%prep |
53 | 53 |
%setup -q |
54 |
+%patch0 -p1 |
|
55 |
+ |
|
54 | 56 |
%build |
55 | 57 |
./autogen.sh |
56 | 58 |
%configure --with-pcre=system |
... | ... |
@@ -90,6 +93,8 @@ make DESTDIR=%{buildroot} install |
90 | 90 |
%{_datadir}/glib-2.0/schemas/* |
91 | 91 |
|
92 | 92 |
%changelog |
93 |
+* Mon Jun 03 2019 Ankit Jain <ankitja@vmware.com> 2.58.0-3 |
|
94 |
+- Fix for CVE-2019-12450 |
|
93 | 95 |
* Mon Dec 10 2018 Alexey Makhalov <amakhalov@vmware.com> 2.58.0-2 |
94 | 96 |
- glib-devel requires python-xml. |
95 | 97 |
* Tue Sep 11 2018 Anish Swaminathan <anishs@vmware.com> 2.58.0-1 |