summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoe Slater <joe.slater@windriver.com>2019-06-20 10:44:55 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-06-21 00:33:44 +0100
commit59ded76363aec9289a007baca52a33b463e02e47 (patch)
tree8add5240ba6b804a2e62c9badc449ef4476d18b4
parentc724a2feaef9030718742c02cb7da5a976e6b6e4 (diff)
downloadopenembedded-core-contrib-59ded76363aec9289a007baca52a33b463e02e47.tar.gz
openembedded-core-contrib-59ded76363aec9289a007baca52a33b463e02e47.tar.bz2
openembedded-core-contrib-59ded76363aec9289a007baca52a33b463e02e47.zip
glib-2.0: Fix CVE-2019-12450
Unchanged patch from glib.git which was added after current release. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch62
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb1
2 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch
new file mode 100644
index 0000000000..59e49195cc
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch
@@ -0,0 +1,62 @@
+glib-2.0: fix CVE-2019-12450
+
+Not in release 2.61.1.
+
+CVE: CVE-2019-12450
+
+Upstream-Status: Backport [github.com/GNOME/glib.git]
+Signed-off-by: Joe Slater <joe.slater@windrivere.com>
+---
+From d8f8f4d637ce43f8699ba94c9b7648beda0ca174 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 23 May 2019 10:41:53 +0200
+Subject: [PATCH] gfile: Limit access to files when copying
+
+file_copy_fallback creates new files with default permissions and
+set the correct permissions after the operation is finished. This
+might cause that the files can be accessible by more users during
+the operation than expected. Use G_FILE_CREATE_PRIVATE for the new
+files to limit access to those files.
+---
+ gio/gfile.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/gio/gfile.c b/gio/gfile.c
+index 24b136d80..74b58047c 100644
+--- a/gio/gfile.c
++++ b/gio/gfile.c
+@@ -3284,12 +3284,12 @@ file_copy_fallback (GFile *source,
+ out = (GOutputStream*)_g_local_file_output_stream_replace (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
+ FALSE, NULL,
+ flags & G_FILE_COPY_BACKUP,
+- G_FILE_CREATE_REPLACE_DESTINATION,
+- info,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE, info,
+ cancellable, error);
+ else
+ out = (GOutputStream*)_g_local_file_output_stream_create (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
+- FALSE, 0, info,
++ FALSE, G_FILE_CREATE_PRIVATE, info,
+ cancellable, error);
+ }
+ else if (flags & G_FILE_COPY_OVERWRITE)
+@@ -3297,12 +3297,13 @@ file_copy_fallback (GFile *source,
+ out = (GOutputStream *)g_file_replace (destination,
+ NULL,
+ flags & G_FILE_COPY_BACKUP,
+- G_FILE_CREATE_REPLACE_DESTINATION,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE,
+ cancellable, error);
+ }
+ else
+ {
+- out = (GOutputStream *)g_file_create (destination, 0, cancellable, error);
++ out = (GOutputStream *)g_file_create (destination, G_FILE_CREATE_PRIVATE, cancellable, error);
+ }
+
+ if (!out)
+--
+2.17.1
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb
index bb77294e1e..5942241de5 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb
@@ -16,6 +16,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://0001-Do-not-write-bindir-into-pkg-config-files.patch \
file://0001-meson.build-do-not-hardcode-linux-as-the-host-system.patch \
file://0001-meson-do-a-build-time-check-for-strlcpy-before-attem.patch \
+ file://CVE-2019-12450.patch \
"
SRC_URI_append_class-native = " file://relocate-modules.patch"