CVE-2019-12450: Race Condition
First published: Wed May 29 2019(Updated: )
file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 creates new files with default permissions and set the correct permissions after the operation is finished. This might cause that the files can be accessible by more users during the operation than expected. Upstream Commit: <a href="https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174">https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174</a>
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GNOME GLib | >=2.15.0<=2.61.1 | |
| Debian Debian Linux | =8.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux Eus | =8.1 | |
| Redhat Enterprise Linux Eus | =8.2 | |
| Redhat Enterprise Linux Eus | =8.4 | |
| Redhat Enterprise Linux Eus | =8.6 | |
| Redhat Enterprise Linux Server Aus | =8.2 | |
| Redhat Enterprise Linux Server Aus | =8.4 | |
| Redhat Enterprise Linux Server Aus | =8.6 | |
| Redhat Enterprise Linux Server Tus | =8.2 | |
| Redhat Enterprise Linux Server Tus | =8.4 | |
| Redhat Enterprise Linux Server Tus | =8.6 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =18.10 | |
| Canonical Ubuntu Linux | =19.04 | |
| openSUSE Leap | =15.0 | |
| Fedoraproject Fedora | =30 | |
| IBM Security Guardium | <=10.5 | |
| IBM Security Guardium | <=10.6 | |
| IBM Security Guardium | <=11.0 | |
| IBM Security Guardium | <=11.1 | |
| IBM Security Guardium | <=11.2 | |
| IBM Security Guardium | <=11.3 | |
| ubuntu/glib2.0 | <2.56.4-0ubuntu0.18.04.3 | 2.56.4-0ubuntu0.18.04.3 |
| ubuntu/glib2.0 | <2.58.1-2ubuntu0.1 | 2.58.1-2ubuntu0.1 |
| ubuntu/glib2.0 | <2.60.0-1ubuntu0.1 | 2.60.0-1ubuntu0.1 |
| ubuntu/glib2.0 | <2.40.2-0ubuntu1.1+ | 2.40.2-0ubuntu1.1+ |
| ubuntu/glib2.0 | <2.48.2-0ubuntu4.2 | 2.48.2-0ubuntu4.2 |
| debian/glib2.0 | 2.66.8-1+deb11u4 2.66.8-1+deb11u3 2.74.6-2+deb12u3 2.74.6-2+deb12u2 2.82.0-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00076.html
- https://access.redhat.com/errata/RHSA-2019:3530
- https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174
- https://lists.debian.org/debian-lts-announce/2019/06/msg00013.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4WIOAGO3M743M5KZLVQZM3NGHQDYLI/
- https://security.netapp.com/advisory/ntap-20190606-0003/
- https://usn.ubuntu.com/4014-1/
- https://usn.ubuntu.com/4014-2/
- https://launchpad.net/bugs/cve/CVE-2019-12450
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1719142
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1719268
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1719270
- https://access.redhat.com/support/policy/updates/errata/
- https://access.redhat.com/security/cve/cve-2019-12450
- https://access.redhat.com/errata/RHSA-2020:3978
- https://bugzilla.redhat.com/show_bug.cgi?id=1719141
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2W4WIOAGO3M743M5KZLVQZM3NGHQDYLI/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/161792
- https://www.ibm.com/support/pages/node/6455281 (Advisory)
- https://ubuntu.com/security/notices/USN-4014-1
- https://ubuntu.com/security/notices/USN-4014-2
- https://www.cve.org/CVERecord?id=CVE-2019-12450
- https://nvd.nist.gov/vuln/detail/CVE-2019-12450
- https://security-tracker.debian.org/tracker/CVE-2019-12450
- https://ubuntu.com/security/CVE-2019-12450
Frequently Asked Questions
What is CVE-2019-12450?
CVE-2019-12450 is a vulnerability in GNOME GLib 2.15.0 through 2.61.1 that allows a remote attacker to bypass security restrictions.
How does CVE-2019-12450 affect IBM Security Guardium?
CVE-2019-12450 affects IBM Security Guardium versions 10.5 through 11.3.
How does CVE-2019-12450 affect the glib2.0 package in Ubuntu?
CVE-2019-12450 affects the glib2.0 package in Ubuntu versions disco (2.60.0-1ubuntu0.1), bionic (2.56.4-0ubuntu0.18.04.3), and cosmic (2.58.1-2ubuntu0.1).
What is the severity of CVE-2019-12450?
CVE-2019-12450 has a severity rating of critical (9.8).
Where can I find more information about CVE-2019-12450?
You can find more information about CVE-2019-12450 in the references: http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00076.html, https://access.redhat.com/errata/RHSA-2019:3530, https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-12450
- agent/author
- agent/severity
- agent/remedy
- agent/weakness
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/softwarecombine
- collector/security-tracker-debian
- source/Debian
- agent/tags
- agent/event
- vendor/gnome
- canonical/gnome glib
- version/gnome glib/2.15.0
- version/gnome glib/2.61.1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/8.1
- version/redhat enterprise linux eus/8.2
- version/redhat enterprise linux eus/8.4
- version/redhat enterprise linux eus/8.6
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/8.2
- version/redhat enterprise linux server aus/8.4
- version/redhat enterprise linux server aus/8.6
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/8.2
- version/redhat enterprise linux server tus/8.4
- version/redhat enterprise linux server tus/8.6
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/18.10
- version/canonical ubuntu linux/19.04
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- vendor/ibm
- canonical/ibm security guardium
- version/ibm security guardium/10.5
- version/ibm security guardium/10.6
- version/ibm security guardium/11.0
- version/ibm security guardium/11.1
- version/ibm security guardium/11.2
- version/ibm security guardium/11.3
- package-manager/ubuntu
- package-manager/debian