CVE-2019-12450

Description

file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.

CVSS Metrics

• v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.92%• Percentile: 76%

Techniques & Countermeasures

• CWE-276•Incorrect Default Permissions

  During installation, installed file permissions are set to allow anyone to modify those files.

• CWE-362•Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Affected Systems

• canonical•ubuntu_linux

  12.04 | 14.04 | 16.04 | 18.04 | 18.10 | 19.04

• debian•debian_linux

  8.0

• fedoraproject•fedora

  30

• gnome•glib

  ≥ 2.15.0, ≤ 2.61.1

• opensuse•leap

  15.0

• redhat•enterprise_linux

  8.0

• redhat•enterprise_linux_eus

  8.1 | 8.2 | 8.4 | 8.6

• redhat•enterprise_linux_server_aus

  8.2 | 8.4 | 8.6

• redhat•enterprise_linux_server_tus

  8.2 | 8.4 | 8.6

References (8)

• https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174
• https://security.netapp.com/advisory/ntap-20190606-0003/
• https://usn.ubuntu.com/4014-1/
• https://usn.ubuntu.com/4014-2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2W4WIOAGO3M743M5KZLVQZM3NGHQDYLI/
• https://lists.debian.org/debian-lts-announce/2019/06/msg00013.html
• http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00076.html
• https://access.redhat.com/errata/RHSA-2019:3530