ulnerable Package : glib2-debuginfo - version 2.56.1-5.el7

[suri496]

Hi Guys,

Good day to all.

This is regarding patching. From Rapid7 below vulnerability is showing on Centos 7.9.2009
Vulnerable Package : glib2-debuginfo - version 2.56.1-5.el7 is installed

Vulnerability Description :
file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.

I have tried do yum update but but all are up to date even repos as well.

Can you help with it.

[TrevorH]

Well it's incredibly unlikely that the problem would be in the debuginfo package. However, the glib2 package is built from the same source and the debuginfo package is just a spin-off from that build. The rpm changelog says

* Thu May 14 2020 Michael Catanzaro <mcatanzaro@redhat.com> - 2.56.1-7
- Backport patch to limit access to files when copying (CVE-2019-12450)
Resolves: #1722099

* Wed Apr 15 2020 Jens Petersen <petersen@redhat.com> - 2.56.1-6
- Backport patches for GDBus auth
Resolves: #1777221

And the first one there looks like the thing you are talking about.

[suri496]

Hello TrevorH,

Thanks for reply.

Can you please suggest how to remediate this vulnerability ?

Regards,
Suresh

Well it's incredibly unlikely that the problem would be in the debuginfo package. However, the glib2 package is built from the same source and the debuginfo package is just a spin-off from that build. The rpm changelog says

* Thu May 14 2020 Michael Catanzaro <mcatanzaro@redhat.com> - 2.56.1-7
- Backport patch to limit access to files when copying (CVE-2019-12450)
Resolves: #1722099

* Wed Apr 15 2020 Jens Petersen <petersen@redhat.com> - 2.56.1-6
- Backport patches for GDBus auth
Resolves: #1777221

And the first one there looks like the thing you are talking about.

[TrevorH]

The changelog says it's already fixed as far as I can see so it's not a vulnerability, it's a false detection.