Univention Bugzilla – Bug 50147
glib2.0: Multiple issues (4.4)
Last modified: 2019-09-11 15:25:41 CEST
New Debian glib2.0 2.50.3-2+deb9u1 fixes: This update addresses the following issues: * Out-of-bounds read in g_markup_parse_context_parse() in gmarkup.c (CVE-2018-16429) * file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress (CVE-2019-12450) * insecure permissions for files and directories (CVE-2019-13012)
--- mirror/ftp/4.3/unmaintained/4.3-0/source/glib2.0_2.50.3-2.dsc +++ apt/ucs_4.4-0-errata4.4-1/source/glib2.0_2.50.3-2+deb9u1.dsc @@ -1,3 +1,23 @@ +2.50.3-2+deb9u1 [Tue, 13 Aug 2019 10:46:20 +0100] Simon McVittie <smcv@debian.org>: + + * Team upload + * d/gbp.conf: Add GNOME team configuration + * d/p/gfile-Limit-access-to-files-when-copying.patch: + When copying files, give the temporary partial copy of the file + suitably restrictive permissions (Closes: #929753; CVE-2019-12450) + * d/p/keyfile-settings-Use-tighter-permissions.patch: + Create directory and file with restrictive permissions when using the + GKeyfileSettingsBackend. Mitigation: in this version of GLib, the + GKeyfileSettingsBackend can only be used explicitly by code, and is + never selected automatically. (Closes: #931234; CVE-2019-13012) + * d/p/gmarkup-Fix-unvalidated-UTF-8-read-in-markup-parsing-erro.patch, + d/p/gmarkup-Avoid-reading-off-the-end-of-a-buffer-when-non-nu.patch: + Avoid buffer read overrun when formatting error messages for invalid + UTF-8 in GMarkup (CVE-2018-16429) + * d/p/gmarkup-Fix-crash-in-error-handling-path-for-closing-elem.patch: + Avoid NULL dereference when parsing invalid GMarkup with a malformed + closing tag not paired with an opening tag (CVE-2018-16429) + 2.50.3-2 [Mon, 20 Mar 2017 00:21:57 +0100] Michael Biebl <biebl@debian.org>: * debian/patches/tests-gdatetime-Use-a-real-rather-than-invented-time.patch: <http://10.200.17.11/4.4-1/#8842268695722649019>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-1] 41dc5940c6 Bug #50147: glib2.0 2.50.3-2+deb9u1 doc/errata/staging/glib2.0.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [4.4-1] 83eda698c3 Bug #50147: glib2.0 2.50.3-2+deb9u1 doc/errata/staging/glib2.0.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)
<http://errata.software-univention.de/ucs/4.4/256.html>