ulnerable Package : glib2-debuginfo - version 2.56.1-5.el7

Support for security such as Firewalls and securing linux
Post Reply
suri496
Posts: 2
Joined: 2014/07/15 14:10:03

ulnerable Package : glib2-debuginfo - version 2.56.1-5.el7

Post by suri496 » 2020/11/16 10:36:04

Hi Guys,

Good day to all.

This is regarding patching. From Rapid7 below vulnerability is showing on Centos 7.9.2009
Vulnerable Package : glib2-debuginfo - version 2.56.1-5.el7 is installed

Vulnerability Description :
file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.

I have tried do yum update but but all are up to date even repos as well.

Can you help with it.

User avatar
TrevorH
Forum Moderator
Posts: 29915
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: ulnerable Package : glib2-debuginfo - version 2.56.1-5.el7

Post by TrevorH » 2020/11/16 11:11:04

Well it's incredibly unlikely that the problem would be in the debuginfo package. However, the glib2 package is built from the same source and the debuginfo package is just a spin-off from that build. The rpm changelog says
* Thu May 14 2020 Michael Catanzaro <mcatanzaro@redhat.com> - 2.56.1-7
- Backport patch to limit access to files when copying (CVE-2019-12450)
Resolves: #1722099

* Wed Apr 15 2020 Jens Petersen <petersen@redhat.com> - 2.56.1-6
- Backport patches for GDBus auth
Resolves: #1777221
And the first one there looks like the thing you are talking about.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

suri496
Posts: 2
Joined: 2014/07/15 14:10:03

Re: ulnerable Package : glib2-debuginfo - version 2.56.1-5.el7

Post by suri496 » 2020/11/16 11:29:41

Hello TrevorH,

Thanks for reply.

Can you please suggest how to remediate this vulnerability ?

Regards,
Suresh

TrevorH wrote:
2020/11/16 11:11:04
Well it's incredibly unlikely that the problem would be in the debuginfo package. However, the glib2 package is built from the same source and the debuginfo package is just a spin-off from that build. The rpm changelog says
* Thu May 14 2020 Michael Catanzaro <mcatanzaro@redhat.com> - 2.56.1-7
- Backport patch to limit access to files when copying (CVE-2019-12450)
Resolves: #1722099

* Wed Apr 15 2020 Jens Petersen <petersen@redhat.com> - 2.56.1-6
- Backport patches for GDBus auth
Resolves: #1777221
And the first one there looks like the thing you are talking about.

User avatar
TrevorH
Forum Moderator
Posts: 29915
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: ulnerable Package : glib2-debuginfo - version 2.56.1-5.el7

Post by TrevorH » 2020/11/16 12:04:57

The changelog says it's already fixed as far as I can see so it's not a vulnerability, it's a false detection.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 7 - Security Support”