glib-2.0: fix CVE-2019-13012

(From OE-Core rev: b7bc9c12219f5c48eb6698e4537f6c0be94ac06a) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Anuj Mittal <anuj.mittal@intel.com> 2019-08-19 21:47:10 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-09-30 16:44:42 +0100
commit: a217ea667d2b7f82970e8d2cb2beacfc8b30c325 (patch)
tree: f82f14e7c34ba5d866065eeb45d369e78f37d9db /meta/recipes-core
parent: e7649d187ee6cd5eb71bbbed939c408f29d5ec50 (diff)
download: poky-a217ea667d2b7f82970e8d2cb2beacfc8b30c325.tar.gz
2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch
new file mode 100644
index 0000000000..c882cba3b3
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch
@@ -0,0 +1,40 @@
+From 9fd6b4b21891adc318784f6a141f40d767b0d73c Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Tue, 22 Jan 2019 13:26:31 -0500
+Subject: [PATCH] keyfile settings: Use tighter permissions
+When creating directories, create them with 700 permissions,
+instead of 777.
+Closes: #1658
+CVE: CVE-2019-13012
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/commit/5e4da714f00f6bfb2ccd6d73d61329c6f3a08429]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ gio/gkeyfilesettingsbackend.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
+index a37978e..580a0b0 100644
+--- a/gio/gkeyfilesettingsbackend.c
+++ b/gio/gkeyfilesettingsbackend.c
+@@ -89,7 +89,8 @@ g_keyfile_settings_backend_keyfile_write (GKeyfileSettingsBackend *kfsb)
+ 
+   contents = g_key_file_to_data (kfsb->keyfile, &length, NULL);
+   g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE,
+-                           G_FILE_CREATE_REPLACE_DESTINATION,
+                           G_FILE_CREATE_REPLACE_DESTINATION |
+                           G_FILE_CREATE_PRIVATE,
+                            NULL, NULL, NULL);
+ 
+   compute_checksum (kfsb->digest, contents, length);
+@@ -640,7 +641,7 @@ g_keyfile_settings_backend_new (const gchar *filename,
+ 
+   kfsb->file = g_file_new_for_path (filename);
+   kfsb->dir = g_file_get_parent (kfsb->file);
+-  g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
+  g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700);
+ 
+   kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL);
+   kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL);
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb
index 733a2d46d9..2286d03148 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb
@@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
           file://0001-meson.build-do-not-hardcode-linux-as-the-host-system.patch \
           file://0001-meson-do-a-build-time-check-for-strlcpy-before-attem.patch \
           file://glib-meson.cross \
+           file://CVE-2019-13012.patch \
           "
 SRC_URI_append_class-native = " file://relocate-modules.patch"
author	Anuj Mittal <anuj.mittal@intel.com>	2019-08-19 21:47:10 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-09-30 16:44:42 +0100
commit	a217ea667d2b7f82970e8d2cb2beacfc8b30c325 (patch)
tree	f82f14e7c34ba5d866065eeb45d369e78f37d9db /meta/recipes-core
parent	e7649d187ee6cd5eb71bbbed939c408f29d5ec50 (diff)
download	poky-a217ea667d2b7f82970e8d2cb2beacfc8b30c325.tar.gz

diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch new file mode 100644 index 0000000000..c882cba3b3 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch
@@ -0,0 +1,40 @@
		1	From 9fd6b4b21891adc318784f6a141f40d767b0d73c Mon Sep 17 00:00:00 2001
		2	From: Matthias Clasen <mclasen@redhat.com>
		3	Date: Tue, 22 Jan 2019 13:26:31 -0500
		4	Subject: [PATCH] keyfile settings: Use tighter permissions
		5
		6	When creating directories, create them with 700 permissions,
		7	instead of 777.
		8
		9	Closes: #1658
		10	CVE: CVE-2019-13012
		11	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/commit/5e4da714f00f6bfb2ccd6d73d61329c6f3a08429]
		12	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		13
		14	---
		15	gio/gkeyfilesettingsbackend.c \| 5 +++--
		16	1 file changed, 3 insertions(+), 2 deletions(-)
		17
		18	diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
		19	index a37978e..580a0b0 100644
		20	--- a/gio/gkeyfilesettingsbackend.c
		21	+++ b/gio/gkeyfilesettingsbackend.c
		22	@@ -89,7 +89,8 @@ g_keyfile_settings_backend_keyfile_write (GKeyfileSettingsBackend *kfsb)
		23
		24	contents = g_key_file_to_data (kfsb->keyfile, &length, NULL);
		25	g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE,
		26	- G_FILE_CREATE_REPLACE_DESTINATION,
		27	+ G_FILE_CREATE_REPLACE_DESTINATION \|
		28	+ G_FILE_CREATE_PRIVATE,
		29	NULL, NULL, NULL);
		30
		31	compute_checksum (kfsb->digest, contents, length);
		32	@@ -640,7 +641,7 @@ g_keyfile_settings_backend_new (const gchar *filename,
		33
		34	kfsb->file = g_file_new_for_path (filename);
		35	kfsb->dir = g_file_get_parent (kfsb->file);
		36	- g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
		37	+ g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700);
		38
		39	kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL);
		40	kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL);


diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb index 733a2d46d9..2286d03148 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.58.3.bb
@@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
18	file://0001-meson.build-do-not-hardcode-linux-as-the-host-system.patch \	18	file://0001-meson.build-do-not-hardcode-linux-as-the-host-system.patch \
19	file://0001-meson-do-a-build-time-check-for-strlcpy-before-attem.patch \	19	file://0001-meson-do-a-build-time-check-for-strlcpy-before-attem.patch \
20	file://glib-meson.cross \	20	file://glib-meson.cross \
		21	file://CVE-2019-13012.patch \
21	"	22	"
22		23
23	SRC_URI_append_class-native = " file://relocate-modules.patch"	24	SRC_URI_append_class-native = " file://relocate-modules.patch"