group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1838890] Re: Suspected memory leak in xenial backport of fix for CVE-2019-13012

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: "Leonidas S. Barbosa" <1838890@xxxxxxxxxxxxxxxxxx>
Date: Mon, 05 Aug 2019 16:29:41 -0000
Reply-to: Bug 1838890 <1838890@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: glib2.0 (Ubuntu)
       Status: New => In Progress

** Also affects: glib2.0 (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: glib2.0 (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: glib2.0 (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Changed in: glib2.0 (Ubuntu Precise)
       Status: New => In Progress

** Changed in: glib2.0 (Ubuntu Trusty)
       Status: New => In Progress

** Changed in: glib2.0 (Ubuntu Xenial)
       Status: New => In Progress

** Changed in: glib2.0 (Ubuntu Precise)
     Assignee: (unassigned) => Leonidas S. Barbosa (leosilvab)

** Changed in: glib2.0 (Ubuntu Trusty)
     Assignee: (unassigned) => Leonidas S. Barbosa (leosilvab)

** Changed in: glib2.0 (Ubuntu Xenial)
     Assignee: (unassigned) => Leonidas S. Barbosa (leosilvab)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1838890

Title:
  Suspected memory leak in xenial backport of fix for CVE-2019-13012

Status in glib2.0 package in Ubuntu:
  In Progress
Status in glib2.0 source package in Precise:
  In Progress
Status in glib2.0 source package in Trusty:
  In Progress
Status in glib2.0 source package in Xenial:
  In Progress

Bug description:
  (This is only from source code inspection, not tested in real use - I
  don't actually use Ubuntu.)

  The upstream fix for CVE-2019-13012 included this change:

  -  g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
  +  g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700);

  However, g_file_peek_path() was only introduced in GLib 2.56. The
  backport in the xenial package has this instead:

  -  g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
  +  g_mkdir_with_parents (g_file_get_path (kfsb->dir), 0700);

  This is not equivalent. The difference between g_file_peek_path() and
  the older g_file_get_path() is that g_file_get_path() makes a copy,
  which must be freed with g_free() after use. As a result, there is now
  a memory leak.

  A non-leaky backport would look something like this, which is what
  I've done in a proposed backport for Debian 9 'stretch':

  + char *dir;
  ...
  -  g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
  +  dir = g_file_get_path (kfsb->dir);
  +  g_mkdir_with_parents (dir, 0700);
  +  g_free (dir);

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glib2.0/+bug/1838890/+subscriptions