Suspected memory leak in xenial backport of fix for CVE-2019-13012

Bug #1838890 reported by Simon McVittie
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
glib2.0 (Ubuntu)
In Progress
High
Leonidas S. Barbosa
Precise
Fix Released
Undecided
Leonidas S. Barbosa
Trusty
In Progress
Undecided
Leonidas S. Barbosa
Xenial
Fix Released
Undecided
Leonidas S. Barbosa

Bug Description

(This is only from source code inspection, not tested in real use - I don't actually use Ubuntu.)

The upstream fix for CVE-2019-13012 included this change:

- g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
+ g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700);

However, g_file_peek_path() was only introduced in GLib 2.56. The backport in the xenial package has this instead:

- g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
+ g_mkdir_with_parents (g_file_get_path (kfsb->dir), 0700);

This is not equivalent. The difference between g_file_peek_path() and the older g_file_get_path() is that g_file_get_path() makes a copy, which must be freed with g_free() after use. As a result, there is now a memory leak.

A non-leaky backport would look something like this, which is what I've done in a proposed backport for Debian 9 'stretch':

+ char *dir;
...
- g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
+ dir = g_file_get_path (kfsb->dir);
+ g_mkdir_with_parents (dir, 0700);
+ g_free (dir);

CVE References

Revision history for this message
Sebastien Bacher (seb128) wrote :

Thanks for the report Simon! Leo, could you have a look?

Changed in glib2.0 (Ubuntu):
importance: Undecided → High
Changed in glib2.0 (Ubuntu):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Changed in glib2.0 (Ubuntu):
status: New → In Progress
Changed in glib2.0 (Ubuntu Precise):
status: New → In Progress
Changed in glib2.0 (Ubuntu Trusty):
status: New → In Progress
Changed in glib2.0 (Ubuntu Xenial):
status: New → In Progress
Changed in glib2.0 (Ubuntu Precise):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Changed in glib2.0 (Ubuntu Trusty):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Changed in glib2.0 (Ubuntu Xenial):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glib2.0 - 2.48.2-0ubuntu4.4

---------------
glib2.0 (2.48.2-0ubuntu4.4) xenial-security; urgency=medium

  * SECURITY REGRESSION: regression in last security update (LP: #1838890)
    - debian/patches/CVE-2019-13012-regression.patch: fix a
      memory leak introduced by the last security update while
      not properly handled the g_file_get_patch function in
      gio/gkeyfilesettingsbackend.c.

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 05 Aug 2019 12:09:36 -0300

Changed in glib2.0 (Ubuntu Xenial):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glib2.0 - 2.32.4-0ubuntu1.4

---------------
glib2.0 (2.32.4-0ubuntu1.4) precise-security; urgency=medium

  * SECURITY REGRESSION: regression in last security update (LP: #1838890)
    - debian/patches/CVE-2019-13012-regression.patch: fix a
      memory leak introduced by the last security update while
      not properly handled the g_file_get_patch function in
      gio/gkeyfilesettingsbackend.c.

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 05 Aug 2019 12:54:19 -0300

Changed in glib2.0 (Ubuntu Precise):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.