The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it does not properly restrict directory (and file) permissions. Instead, for directories, 0777 permissions are used; for files, default file permissions are used. This is similar to CVE-2019-12450.
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Glib | Gnome | 2.0.0 (including) | 2.59.1 (excluding) |
Glib2.0 | Ubuntu | bionic | * |
Glib2.0 | Ubuntu | cosmic | * |
Glib2.0 | Ubuntu | trusty | * |
Glib2.0 | Ubuntu | trusty/esm | * |
Glib2.0 | Ubuntu | upstream | * |
Glib2.0 | Ubuntu | xenial | * |
Red Hat Enterprise Linux 8 | RedHat | glib2-0:2.56.4-9.el8 | * |