Bug 25276 - glib2.0 new security issues CVE-2019-12450
Summary: glib2.0 new security issues CVE-2019-12450
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA-64-OK
Keywords: advisory, validated_update
Depends on: 25525
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-11 22:52 CEST by David Walser
Modified: 2019-11-30 14:08 CET (History)
8 users (show)

See Also:
Source RPM: glib2.0-2.60.2-1.1.mga7.src.rpm
CVE: CVE-2019-12450
Status comment:


Attachments

Description David Walser 2019-08-11 22:52:02 CEST
Ubuntu has issued an advisory on June 10:
https://usn.ubuntu.com/4014-1/

The issue is fixed upstream in 2.61.2.

Mageia 6 is also affected.
David Walser 2019-08-11 22:52:10 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2019-08-11 23:28:22 CEST
Ubuntu has issued an advisory on July 8:
https://usn.ubuntu.com/4049-1/

The issue is fixed upstream in 2.60.0, so it only affects Mageia 6.

Summary: glib2.0 new security issue CVE-2019-12450 => glib2.0 new security issues CVE-2019-12450 and CVE-2019-13012

Comment 2 David Walser 2019-08-12 01:59:58 CEST
Follow-up to the previous advisory, with a regression fix:
https://usn.ubuntu.com/4049-3/
Marja Van Waes 2019-08-12 13:11:11 CEST

Assignee: bugsquad => basesystem
CC: (none) => marja11

Comment 3 David Walser 2019-11-06 00:37:01 CET
RedHat has issued an advisory for the first issue today (November 5):
https://access.redhat.com/errata/RHSA-2019:3530
Comment 4 David Walser 2019-11-25 23:27:22 CET
openSUSE has issued an advisory for the first issue on June 27:
https://lists.opensuse.org/opensuse-updates/2019-06/msg00167.html
Comment 5 Nicolas Salguero 2019-11-26 09:15:25 CET
Mageia 6 is EOL

Whiteboard: MGA6TOO => (none)
Summary: glib2.0 new security issues CVE-2019-12450 and CVE-2019-13012 => glib2.0 new security issues CVE-2019-12450
CC: (none) => nicolas.salguero

Comment 6 Nicolas Salguero 2019-11-26 09:22:39 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. (CVE-2019-12450)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12450
https://usn.ubuntu.com/4014-1/
https://access.redhat.com/errata/RHSA-2019:3530
https://lists.opensuse.org/opensuse-updates/2019-06/msg00167.html
========================

Updated packages in core/updates_testing:
========================
glib2.0-common-2.60.2-1.2.mga7
lib(64)glib2.0_0-2.60.2-1.2.mga7
lib(64)gio2.0_0-2.60.2-1.2.mga7
lib(64)glib2.0-devel-2.60.2-1.2.mga7
lib(64)glib2.0-static-devel-2.60.2-1.2.mga7
glib-gettextize-2.60.2-1.2.mga7

from SRPMS:
glib2.0-2.60.2-1.2.mga7.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2019-12450
Assignee: basesystem => qa-bugs
Source RPM: glib2.0-2.60.2-1.mga7.src.rpm => glib2.0-2.60.2-1.1.mga7.src.rpm

Comment 7 David GEIGER 2019-11-26 13:24:32 CET
This bug also interferes with bug 25525

Depends on: (none) => 25525
CC: (none) => geiger.david68210

Comment 8 David Walser 2019-11-26 15:14:14 CET
Add the advisory blurb and references from Bug 25525 to this bug's advisory.
Comment 9 Brian Rockwell 2019-11-26 18:22:45 CET
VirtualBox VM - Gnome 64 bit

This looks like a base I/O library

The following 18 packages are going to be installed:

- glib-gettextize-2.60.2-1.2.mga7.x86_64
- glib2.0-common-2.60.2-1.2.mga7.x86_64
- glibc-devel-2.29-19.mga7.x86_64
- kernel-userspace-headers-5.3.13-2.mga7.x86_64
- lib64blkid-devel-2.33.2-1.mga7.x86_64
- lib64ffi-devel-3.2.1-7.mga7.x86_64
- lib64gio2.0_0-2.60.2-1.2.mga7.x86_64
- lib64glib2.0-devel-2.60.2-1.2.mga7.x86_64
- lib64glib2.0-static-devel-2.60.2-1.2.mga7.x86_64
- lib64glib2.0_0-2.60.2-1.2.mga7.x86_64
- lib64mount-devel-2.33.2-1.mga7.x86_64
- lib64pcre-devel-8.43-1.mga7.x86_64
- lib64pcre16_0-8.43-1.mga7.x86_64
- lib64pcre32_0-8.43-1.mga7.x86_64
- lib64uuid-devel-2.33.2-1.mga7.x86_64
- lib64xcrypt-devel-4.4.6-1.mga7.x86_64
- lib64zlib-devel-1.2.11-7.mga7.x86_64
- multiarch-utils-1.0.14-2.mga7.noarch

rebooted the machine

- Copied, moved files-
- accessed samba drives
- vm shared drives and moved files around
- edited documents

Is this sufficient?

CC: (none) => brtians1

Comment 10 Lewis Smith 2019-11-26 21:07:16 CET
What happened to    glib2.0-2.60.2-1.1.mga7.src.rpm ?
Comments 6 & 9 cite glib2.0-2.60.2-1.2.mga7.src.rpm.
There is an erroneous bug 25746 on the -1.1 variant, which I am directing here.
Comment 11 David Walser 2019-11-26 21:10:02 CET
It got patched for a security issue, this update supercedes it.
Comment 12 Thomas Andrews 2019-11-27 04:17:02 CET
I have asked the reporter for Bug 25525 to test these newer packages to see if his issue remains fixed, and to report his results here.

CC: (none) => andrewsfarm

Comment 13 Lewis Smith 2019-11-27 10:29:53 CET
I have done likewise for the reporter of bug 25746, which I have re-opened; though having >1 bug for an update is unhelpful. I post his latest comment
 https://bugs.mageia.org/show_bug.cgi?id=25746#c2
(because he did not heed my request to post directly on this bug): Note that his problem remained with glib2.0-2.60.2-1.2; and that he found a workaround for his hardware. The issue of slow Firefox has I think another bug.
------------------------------------------------------------
I have had this problem with glib2.0-2.60.2-1.2.mga7.src.rpm
Several times in matter of facts.
In the beginning it was a mystery. I could enter the root password at the request of the MCC window. Then I re-installed the boot loader and MCC crashed. After some time I could, again, enter the root password. I then discovered that the same thing happened after the update of the many libreoffice packages.
My IPC3 box has an mSATA SSD mounted on a FM-USB3 card. I had the, possibly mistaken, idéa that the content of the SSD is copied to the faster RAM, and that this takes some time. My firefox is also very jerky to the extend that I cannot use it. My real motive was to get firefox to work properly.
My next idéa was that the i7 processors possibly overheated while waiting for the slow SSD. To test this theory I used the command:
cpupower frequency-set -g powersave
I do not know how the IPC3 hardware work, but this command made firefox working without any jerks, and I can enter the root pasword in MCC.
I am using firefox to enter these lines.
This shows that crashes can be caused by many things.
----------------------------------------------------
Comment 14 David Walser 2019-11-27 18:00:15 CET
Lewis, there are multiple bugs because they are for different issues.  Obviously we can only have one assigned to QA which is why unassigned the other one.
Comment 15 Brian Rockwell 2019-11-27 20:36:32 CET
$ uname -a
Linux localhost 5.3.11-desktop-1.mga7 #1 SMP Tue Nov 12 23:07:33 UTC 2019 i686 i686 i386 GNU/Linux

Plasma on 32bit, virtualbox

The following 4 packages are going to be installed:

- glib-gettextize-2.60.2-1.2.mga7.i586
- glib2.0-common-2.60.2-1.2.mga7.i586
- libgio2.0_0-2.60.2-1.2.mga7.i586
- libglib2.0_0-2.60.2-1.2.mga7.i586

----

rebooted

----

I've mapped samba drives, copied files, Firefox, Chromium, and Clementine (which is IO intensive at the beginning)

all is working
Comment 16 Herman Viaene 2019-11-28 12:23:12 CET
MGA7-64 Plasma on Lenovo B50
No installation issues
Rebooted after installation, no obvious problems , run opd file from NFS share over Wifi., Updating this bug here works OK.
OK for me.

CC: (none) => herman.viaene

Comment 17 Herman Viaene 2019-11-29 10:06:23 CET
Run anki again on TJ's request from bug 25763: works OK.
Comment 18 Thomas Andrews 2019-11-29 14:08:25 CET
Thank you, Herman. I think that's enough. Giving it an OK.

Lewis, it would appear that the real cause of the issue in Bug 25746 is as yet undetermined. It may be glib2.0, and then again maybe something else. Since no one here has reported that issue, I think it should be addressed separately, and don't believe it is reason enough to hold this update back. If, after the update, that reporter's issue persists, he should note it there.

Validating. Advisory in Comment 6.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA-64-OK
Keywords: (none) => validated_update

Thomas Backlund 2019-11-30 11:51:33 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 19 Mageia Robot 2019-11-30 14:08:04 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0352.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.