Incorrect Permission Assignment for Critical Resource in glib2.0

Do your applications use this vulnerable package? Test your applications

Overview

The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it does not properly restrict directory (and file) permissions. Instead, for directories, 0777 permissions are used; for files, default file permissions are used. This is similar to CVE-2019-12450.

References

Debian Bug Report
Debian Security Announcement
Debian Security Announcement
Debian Security Tracker
MISC
MISC
MISC
Netapp Security Advisory
OpenSuse Security Announcement
Ubuntu CVE Tracker
Ubuntu Security Advisory
Ubuntu Security Advisory

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

None
Integrity

High
Availability

None

CVE: CVE-2019-13012
CWE: CWE-732
Snyk ID: SNYK-DEBIAN9-GLIB20-451223
Disclosed: 28 Jun, 2019
Published: 28 Jun, 2019

Incorrect Permission Assignment for Critical Resource
Affecting glib2.0 package, versions <2.50.3-2+deb9u1

Overview

References

CVSS Score

Incorrect Permission Assignment for Critical Resource Affecting glib2.0 package, versions <2.50.3-2+deb9u1

Overview

References

Incorrect Permission Assignment for Critical Resource
Affecting glib2.0 package, versions <2.50.3-2+deb9u1