Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-12450: gfile: Limit access to files when copying (d8f8f4d6) · Commits · GNOME / GLib · GitLab

file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.

CVE
#git#perl#auth

Commit d8f8f4d6 authored May 23, 2019 by

Browse files

gfile: Limit access to files when copying

file_copy_fallback creates new files with default permissions and set the correct permissions after the operation is finished. This might cause that the files can be accessible by more users during the operation than expected. Use G_FILE_CREATE_PRIVATE for the new files to limit access to those files.

Pipeline #83814 passed with stages

in 11 minutes and 48 seconds

  • Changes 1
  • Pipelines 1

@@ -3284,12 +3284,12 @@ file_copy_fallback (GFile *source,

out = (GOutputStream*)_g_local_file_output_stream_replace (_g_local_file_get_filename (G_LOCAL_FILE (destination)),

FALSE, NULL,

flags & G_FILE_COPY_BACKUP,

G_FILE_CREATE_REPLACE_DESTINATION,

info,

G_FILE_CREATE_REPLACE_DESTINATION |

G_FILE_CREATE_PRIVATE, info,

cancellable, error);

else

out = (GOutputStream*)_g_local_file_output_stream_create (_g_local_file_get_filename (G_LOCAL_FILE (destination)),

FALSE, 0, info,

FALSE, G_FILE_CREATE_PRIVATE, info,

cancellable, error);

}

else if (flags & G_FILE_COPY_OVERWRITE)

@@ -3297,12 +3297,13 @@ file_copy_fallback (GFile *source,

out = (GOutputStream *)g_file_replace (destination,

NULL,

flags & G_FILE_COPY_BACKUP,

G_FILE_CREATE_REPLACE_DESTINATION,

G_FILE_CREATE_REPLACE_DESTINATION |

G_FILE_CREATE_PRIVATE,

cancellable, error);

}

else

{

out = (GOutputStream *)g_file_create (destination, 0, cancellable, error);

out = (GOutputStream *)g_file_create (destination, G_FILE_CREATE_PRIVATE, cancellable, error);

}

if (!out)

  • mentioned in merge request !1134 (merged)

    mentioned in merge request !1134

  • mentioned in commit 53f6ede6

    mentioned in commit 53f6ede62819fca7082e7cc1ed89edb799991f9a

  • mentioned in commit 56e244ec

    mentioned in commit 56e244ecdf9e9419f52b24858d23a014f32fa5a9

  • mentioned in commit b37d628c

    mentioned in commit b37d628c01da0bd61348b3ac73b7a436af008d8d

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907