Ubuntu has issued an advisory on June 10: https://usn.ubuntu.com/4014-1/ The issue is fixed upstream in 2.61.2. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Ubuntu has issued an advisory on July 8: https://usn.ubuntu.com/4049-1/ The issue is fixed upstream in 2.60.0, so it only affects Mageia 6.
Summary: glib2.0 new security issue CVE-2019-12450 => glib2.0 new security issues CVE-2019-12450 and CVE-2019-13012
Follow-up to the previous advisory, with a regression fix: https://usn.ubuntu.com/4049-3/
Assignee: bugsquad => basesystemCC: (none) => marja11
RedHat has issued an advisory for the first issue today (November 5): https://access.redhat.com/errata/RHSA-2019:3530
openSUSE has issued an advisory for the first issue on June 27: https://lists.opensuse.org/opensuse-updates/2019-06/msg00167.html
Mageia 6 is EOL
Whiteboard: MGA6TOO => (none)Summary: glib2.0 new security issues CVE-2019-12450 and CVE-2019-13012 => glib2.0 new security issues CVE-2019-12450CC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated packages fix a security vulnerability: file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. (CVE-2019-12450) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12450 https://usn.ubuntu.com/4014-1/ https://access.redhat.com/errata/RHSA-2019:3530 https://lists.opensuse.org/opensuse-updates/2019-06/msg00167.html ======================== Updated packages in core/updates_testing: ======================== glib2.0-common-2.60.2-1.2.mga7 lib(64)glib2.0_0-2.60.2-1.2.mga7 lib(64)gio2.0_0-2.60.2-1.2.mga7 lib(64)glib2.0-devel-2.60.2-1.2.mga7 lib(64)glib2.0-static-devel-2.60.2-1.2.mga7 glib-gettextize-2.60.2-1.2.mga7 from SRPMS: glib2.0-2.60.2-1.2.mga7.src.rpm
Status: NEW => ASSIGNEDCVE: (none) => CVE-2019-12450Assignee: basesystem => qa-bugsSource RPM: glib2.0-2.60.2-1.mga7.src.rpm => glib2.0-2.60.2-1.1.mga7.src.rpm
This bug also interferes with bug 25525
Depends on: (none) => 25525CC: (none) => geiger.david68210
Add the advisory blurb and references from Bug 25525 to this bug's advisory.
VirtualBox VM - Gnome 64 bit This looks like a base I/O library The following 18 packages are going to be installed: - glib-gettextize-2.60.2-1.2.mga7.x86_64 - glib2.0-common-2.60.2-1.2.mga7.x86_64 - glibc-devel-2.29-19.mga7.x86_64 - kernel-userspace-headers-5.3.13-2.mga7.x86_64 - lib64blkid-devel-2.33.2-1.mga7.x86_64 - lib64ffi-devel-3.2.1-7.mga7.x86_64 - lib64gio2.0_0-2.60.2-1.2.mga7.x86_64 - lib64glib2.0-devel-2.60.2-1.2.mga7.x86_64 - lib64glib2.0-static-devel-2.60.2-1.2.mga7.x86_64 - lib64glib2.0_0-2.60.2-1.2.mga7.x86_64 - lib64mount-devel-2.33.2-1.mga7.x86_64 - lib64pcre-devel-8.43-1.mga7.x86_64 - lib64pcre16_0-8.43-1.mga7.x86_64 - lib64pcre32_0-8.43-1.mga7.x86_64 - lib64uuid-devel-2.33.2-1.mga7.x86_64 - lib64xcrypt-devel-4.4.6-1.mga7.x86_64 - lib64zlib-devel-1.2.11-7.mga7.x86_64 - multiarch-utils-1.0.14-2.mga7.noarch rebooted the machine - Copied, moved files- - accessed samba drives - vm shared drives and moved files around - edited documents Is this sufficient?
CC: (none) => brtians1
What happened to glib2.0-2.60.2-1.1.mga7.src.rpm ? Comments 6 & 9 cite glib2.0-2.60.2-1.2.mga7.src.rpm. There is an erroneous bug 25746 on the -1.1 variant, which I am directing here.
It got patched for a security issue, this update supercedes it.
I have asked the reporter for Bug 25525 to test these newer packages to see if his issue remains fixed, and to report his results here.
CC: (none) => andrewsfarm
I have done likewise for the reporter of bug 25746, which I have re-opened; though having >1 bug for an update is unhelpful. I post his latest comment https://bugs.mageia.org/show_bug.cgi?id=25746#c2 (because he did not heed my request to post directly on this bug): Note that his problem remained with glib2.0-2.60.2-1.2; and that he found a workaround for his hardware. The issue of slow Firefox has I think another bug. ------------------------------------------------------------ I have had this problem with glib2.0-2.60.2-1.2.mga7.src.rpm Several times in matter of facts. In the beginning it was a mystery. I could enter the root password at the request of the MCC window. Then I re-installed the boot loader and MCC crashed. After some time I could, again, enter the root password. I then discovered that the same thing happened after the update of the many libreoffice packages. My IPC3 box has an mSATA SSD mounted on a FM-USB3 card. I had the, possibly mistaken, idéa that the content of the SSD is copied to the faster RAM, and that this takes some time. My firefox is also very jerky to the extend that I cannot use it. My real motive was to get firefox to work properly. My next idéa was that the i7 processors possibly overheated while waiting for the slow SSD. To test this theory I used the command: cpupower frequency-set -g powersave I do not know how the IPC3 hardware work, but this command made firefox working without any jerks, and I can enter the root pasword in MCC. I am using firefox to enter these lines. This shows that crashes can be caused by many things. ----------------------------------------------------
Lewis, there are multiple bugs because they are for different issues. Obviously we can only have one assigned to QA which is why unassigned the other one.
$ uname -a Linux localhost 5.3.11-desktop-1.mga7 #1 SMP Tue Nov 12 23:07:33 UTC 2019 i686 i686 i386 GNU/Linux Plasma on 32bit, virtualbox The following 4 packages are going to be installed: - glib-gettextize-2.60.2-1.2.mga7.i586 - glib2.0-common-2.60.2-1.2.mga7.i586 - libgio2.0_0-2.60.2-1.2.mga7.i586 - libglib2.0_0-2.60.2-1.2.mga7.i586 ---- rebooted ---- I've mapped samba drives, copied files, Firefox, Chromium, and Clementine (which is IO intensive at the beginning) all is working
MGA7-64 Plasma on Lenovo B50 No installation issues Rebooted after installation, no obvious problems , run opd file from NFS share over Wifi., Updating this bug here works OK. OK for me.
CC: (none) => herman.viaene
Run anki again on TJ's request from bug 25763: works OK.
Thank you, Herman. I think that's enough. Giving it an OK. Lewis, it would appear that the real cause of the issue in Bug 25746 is as yet undetermined. It may be glib2.0, and then again maybe something else. Since no one here has reported that issue, I think it should be addressed separately, and don't believe it is reason enough to hold this update back. If, after the update, that reporter's issue persists, he should note it there. Validating. Advisory in Comment 6.
CC: (none) => sysadmin-bugsWhiteboard: (none) => MGA-64-OKKeywords: (none) => validated_update
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0352.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED