aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2019-06-17 11:35:30 +0200
committerNatanael Copa <ncopa@alpinelinux.org>2019-06-17 11:42:04 +0200
commit6d61c0096ba308d340d865f9fc295ac6e88e1277 (patch)
tree3b9149dc8db5d39dfa4d749c609771e6f609e739
parenteb465b6e978d3e6bf58d13e594683522bdea7314 (diff)
downloadaports-6d61c0096ba308d340d865f9fc295ac6e88e1277.tar.gz
aports-6d61c0096ba308d340d865f9fc295ac6e88e1277.tar.bz2
aports-6d61c0096ba308d340d865f9fc295ac6e88e1277.tar.xz
main/glib: security fix for CVE-2019-12450
fixes #10578
-rw-r--r--main/glib/APKBUILD10
-rw-r--r--main/glib/CVE-2019-12450.patch53
2 files changed, 61 insertions, 2 deletions
diff --git a/main/glib/APKBUILD b/main/glib/APKBUILD
index 0c9a862858..5ea89404b8 100644
--- a/main/glib/APKBUILD
+++ b/main/glib/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=glib
pkgver=2.54.2
-pkgrel=0
+pkgrel=1
pkgdesc="Common C routines used by Gtk+ and other libs"
url="https://developer.gnome.org/glib/"
arch="all"
@@ -14,10 +14,15 @@ depends_dev="perl python2 gettext-dev zlib-dev bzip2-dev libffi-dev
makedepends="$depends_dev pcre-dev"
source="https://download.gnome.org/sources/$pkgname/${pkgver%.*}/$pkgname-$pkgver.tar.xz
0001-gquark-fix-initialization-with-c-constructors.patch
+ CVE-2019-12450.patch
"
subpackages="$pkgname-dbg $pkgname-doc $pkgname-static $pkgname-dev $pkgname-lang $pkgname-bash-completion:bashcomp:noarch"
builddir="$srcdir"/$pkgname-$pkgver
+# secfixes:
+# 2.54.2-r1:
+# - CVE-2019-12450
+
prepare() {
default_prepare
cd "$builddir"
@@ -80,4 +85,5 @@ bashcomp() {
}
sha512sums="09ee6fa3a6f3f15af229bd789bef536e3570f36d1e4ce624a57e97c4040577f6baccd6ab5746257863ccf7173b558cfa753951d562a278f854e52604104ba7ee glib-2.54.2.tar.xz
-32e5aca9a315fb985fafa0b4355e4498c1f877fc1f0b58ad4ac261fb9fbced9f026c7756a5f2af7d61ce756b55c8cd02811bb08df397040e93510056f073756b 0001-gquark-fix-initialization-with-c-constructors.patch"
+32e5aca9a315fb985fafa0b4355e4498c1f877fc1f0b58ad4ac261fb9fbced9f026c7756a5f2af7d61ce756b55c8cd02811bb08df397040e93510056f073756b 0001-gquark-fix-initialization-with-c-constructors.patch
+18f33b4902d1ec2595e17f6d686871445aaba3988c1f257a28892f5efcfdc79d6009d0bcf997791ab4f4f0eac9667a89cedca24261592b60b91627dd2d5ed79d CVE-2019-12450.patch"
diff --git a/main/glib/CVE-2019-12450.patch b/main/glib/CVE-2019-12450.patch
new file mode 100644
index 0000000000..6c514e1f8e
--- /dev/null
+++ b/main/glib/CVE-2019-12450.patch
@@ -0,0 +1,53 @@
+From d8f8f4d637ce43f8699ba94c9b7648beda0ca174 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 23 May 2019 10:41:53 +0200
+Subject: [PATCH] gfile: Limit access to files when copying
+
+file_copy_fallback creates new files with default permissions and
+set the correct permissions after the operation is finished. This
+might cause that the files can be accessible by more users during
+the operation than expected. Use G_FILE_CREATE_PRIVATE for the new
+files to limit access to those files.
+---
+ gio/gfile.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/gio/gfile.c b/gio/gfile.c
+index 24b136d80..74b58047c 100644
+--- a/gio/gfile.c
++++ b/gio/gfile.c
+@@ -3284,12 +3284,12 @@ file_copy_fallback (GFile *source,
+ out = (GOutputStream*)_g_local_file_output_stream_replace (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
+ FALSE, NULL,
+ flags & G_FILE_COPY_BACKUP,
+- G_FILE_CREATE_REPLACE_DESTINATION,
+- info,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE, info,
+ cancellable, error);
+ else
+ out = (GOutputStream*)_g_local_file_output_stream_create (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
+- FALSE, 0, info,
++ FALSE, G_FILE_CREATE_PRIVATE, info,
+ cancellable, error);
+ }
+ else if (flags & G_FILE_COPY_OVERWRITE)
+@@ -3297,12 +3297,13 @@ file_copy_fallback (GFile *source,
+ out = (GOutputStream *)g_file_replace (destination,
+ NULL,
+ flags & G_FILE_COPY_BACKUP,
+- G_FILE_CREATE_REPLACE_DESTINATION,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE,
+ cancellable, error);
+ }
+ else
+ {
+- out = (GOutputStream *)g_file_create (destination, 0, cancellable, error);
++ out = (GOutputStream *)g_file_create (destination, G_FILE_CREATE_PRIVATE, cancellable, error);
+ }
+
+ if (!out)
+--
+2.21.0
+