tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom

glib: fix CVE-2019-13012

CVE-2019-13012 Description:

The keyfile settings backend in GLib before 2.59.1 creates directories
using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and
files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE,
G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL).
Consequently, it does not properly restrict directory (and file) permissions.
Instead, for directories, 0777 permissions are used; for files, default file
permissions are used.

Patch Summary:

Changes the permissions when a directory is created,
using 700 instead 777 in gio/gkeyfilesettingsbackend.c
and changes test to run in a temp directory in gio/tests/gsettings.c.

Upstream Issue: https://gitlab.gnome.org/GNOME/glib/issues/1658
Upstream MR: https://gitlab.gnome.org/GNOME/glib/merge_requests/604

Fixes #64657

worldofpeace 35e28b48 88f069e2

+6
unified split
+6
pkgs/development/libraries/glib/default.nix
··· 91 91 name = "CVE-2019-12450.patch"; 92 92 sha256 = "03ris8lllbb7i18qvbpqaf7xdwfz1dkskx8mb533dmwlp2ll69hg"; 93 93 }) 94 + # https://gitlab.gnome.org/GNOME/glib/issues/1658 95 + (fetchpatch { 96 + name = "CVE-2019-13012.patch"; 97 + url = "https://gitlab.gnome.org/GNOME/glib/commit/5e4da714f00f6bfb2ccd6d73d61329c6f3a08429.patch"; 98 + sha256 = "0ykfx9i1ipz06n7hvz27qw0l9hy9jslg5gqqxyfiivy81q4p7lnl"; 99 + }) 94 100 ]; 95 101 96 102 outputs = [ "bin" "out" "dev" "devdoc" ];