CVE-2019-12450: Race Condition
First published: Wed May 29 2019(Updated: )
file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 creates new files with default permissions and set the correct permissions after the operation is finished. This might cause that the files can be accessible by more users during the operation than expected. Upstream Commit: <a href="https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174">https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ubuntu/glib2.0 | <2.56.4-0ubuntu0.18.04.3 | 2.56.4-0ubuntu0.18.04.3 |
| ubuntu/glib2.0 | <2.58.1-2ubuntu0.1 | 2.58.1-2ubuntu0.1 |
| ubuntu/glib2.0 | <2.60.0-1ubuntu0.1 | 2.60.0-1ubuntu0.1 |
| ubuntu/glib2.0 | <2.40.2-0ubuntu1.1+ | 2.40.2-0ubuntu1.1+ |
| ubuntu/glib2.0 | <2.48.2-0ubuntu4.2 | 2.48.2-0ubuntu4.2 |
| debian/glib2.0 | 2.66.8-1+deb11u4 2.66.8-1+deb11u3 2.74.6-2+deb12u3 2.74.6-2+deb12u2 2.82.0-1 | |
| IBM InfoSphere Guardium z/OS | <=10.5 | |
| IBM InfoSphere Guardium z/OS | <=10.6 | |
| IBM InfoSphere Guardium z/OS | <=11.0 | |
| IBM InfoSphere Guardium z/OS | <=11.1 | |
| IBM InfoSphere Guardium z/OS | <=11.2 | |
| IBM InfoSphere Guardium z/OS | <=11.3 | |
| GNOME GLib | >=2.15.0<=2.61.1 | |
| Debian GNU/Linux | =8.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| redhat enterprise Linux eus | =8.1 | |
| redhat enterprise Linux eus | =8.2 | |
| redhat enterprise Linux eus | =8.4 | |
| redhat enterprise Linux eus | =8.6 | |
| redhat enterprise Linux server aus | =8.2 | |
| redhat enterprise Linux server aus | =8.4 | |
| redhat enterprise Linux server aus | =8.6 | |
| redhat enterprise Linux server tus | =8.2 | |
| redhat enterprise Linux server tus | =8.4 | |
| redhat enterprise Linux server tus | =8.6 | |
| Ubuntu Linux | =12.04 | |
| Ubuntu Linux | =14.04 | |
| Ubuntu Linux | =16.04 | |
| Ubuntu Linux | =18.04 | |
| Ubuntu Linux | =18.10 | |
| Ubuntu Linux | =19.04 | |
| openSUSE | =15.0 | |
| Fedoraproject Fedora | =30 | |
| GNOME libraries | >=2.15.0<=2.61.1 | |
| Debian | =8.0 | |
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =18.10 | |
| Ubuntu | =19.04 | |
| Fedora | =30 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00076.html
- https://access.redhat.com/errata/RHSA-2019:3530
- https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174
- https://lists.debian.org/debian-lts-announce/2019/06/msg00013.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4WIOAGO3M743M5KZLVQZM3NGHQDYLI/
- https://security.netapp.com/advisory/ntap-20190606-0003/
- https://usn.ubuntu.com/4014-1/
- https://usn.ubuntu.com/4014-2/
- https://launchpad.net/bugs/cve/CVE-2019-12450
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1719142
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1719268
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1719270
- https://access.redhat.com/support/policy/updates/errata/
- https://access.redhat.com/security/cve/cve-2019-12450
- https://access.redhat.com/errata/RHSA-2020:3978
- https://bugzilla.redhat.com/show_bug.cgi?id=1719141
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2W4WIOAGO3M743M5KZLVQZM3NGHQDYLI/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/161792
- https://www.ibm.com/support/pages/node/6455281 (Advisory)
- https://ubuntu.com/security/notices/USN-4014-1
- https://ubuntu.com/security/notices/USN-4014-2
- https://www.cve.org/CVERecord?id=CVE-2019-12450
- https://nvd.nist.gov/vuln/detail/CVE-2019-12450
- https://security-tracker.debian.org/tracker/CVE-2019-12450
- https://ubuntu.com/security/CVE-2019-12450
Frequently Asked Questions
What is CVE-2019-12450?
CVE-2019-12450 is a vulnerability in GNOME GLib 2.15.0 through 2.61.1 that allows a remote attacker to bypass security restrictions.
How does CVE-2019-12450 affect IBM Security Guardium?
CVE-2019-12450 affects IBM Security Guardium versions 10.5 through 11.3.
How does CVE-2019-12450 affect the glib2.0 package in Ubuntu?
CVE-2019-12450 affects the glib2.0 package in Ubuntu versions disco (2.60.0-1ubuntu0.1), bionic (2.56.4-0ubuntu0.18.04.3), and cosmic (2.58.1-2ubuntu0.1).
What is the severity of CVE-2019-12450?
CVE-2019-12450 has a severity rating of critical (9.8).
Where can I find more information about CVE-2019-12450?
You can find more information about CVE-2019-12450 in the references: http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00076.html, https://access.redhat.com/errata/RHSA-2019:3530, https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174.
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-12450
- agent/severity
- agent/remedy
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- agent/references
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/trending
- agent/source
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- agent/author
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- agent/tags
- agent/softwarecombine
- package-manager/ubuntu
- package-manager/debian
- vendor/ibm
- canonical/ibm infosphere guardium z/os
- version/ibm infosphere guardium z/os/10.5
- version/ibm infosphere guardium z/os/10.6
- version/ibm infosphere guardium z/os/11.0
- version/ibm infosphere guardium z/os/11.1
- version/ibm infosphere guardium z/os/11.2
- version/ibm infosphere guardium z/os/11.3
- vendor/gnome
- canonical/gnome glib
- version/gnome glib/2.15.0
- version/gnome glib/2.61.1
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/8.0
- vendor/redhat
- canonical/red hat enterprise linux
- version/red hat enterprise linux/8.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/8.1
- version/redhat enterprise linux eus/8.2
- version/redhat enterprise linux eus/8.4
- version/redhat enterprise linux eus/8.6
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/8.2
- version/redhat enterprise linux server aus/8.4
- version/redhat enterprise linux server aus/8.6
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/8.2
- version/redhat enterprise linux server tus/8.4
- version/redhat enterprise linux server tus/8.6
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/12.04
- version/ubuntu linux/14.04
- version/ubuntu linux/16.04
- version/ubuntu linux/18.04
- version/ubuntu linux/18.10
- version/ubuntu linux/19.04
- vendor/opensuse
- canonical/opensuse
- version/opensuse/15.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- canonical/gnome libraries
- version/gnome libraries/2.15.0
- version/gnome libraries/2.61.1
- canonical/debian
- version/debian/8.0
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/18.10
- version/ubuntu/19.04
- canonical/fedora
- version/fedora/30