安全公告详情

NS-SA-2022-0053

2022-05-08 20:35:23

简介

critical: glib2/grafana security update

严重级别

critical

主题

An update for glib2/grafana is now available for NewStart CGSL MAIN 6.02.
NewStart Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

glib2: This package provides debug sources for package glib2. Debug sources are useful when developing applications that use this package or when debugging this package.
grafana: This package provides debug information for package grafana. Debug information is useful when developing applications that use this package or when debugging this package.


Security Fix(es):
glib2: The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it does not properly restrict directory (and file) permissions. Instead, for directories, 0777 permissions are used; for files, default file permissions are used. This is similar to CVE-2019-12450.(CVE-2019-13012)
glib2: An integer wraparound was discovered in glib due to passing a 64 bit sized value to function g_memdup() which accepts a 32 bits number as argument. An attacker may abuse this flaw when an application linked against the glib library uses g_bytes_new() function or possibly other functions that use g_memdup() underneath and accept a 64 bits argument as size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-27219)
glib2: bugfix
grafana: A flaw was found in grafana. A XSS via a query alias for the ElasticSearch datasource is allowed.(CVE-2020-24303)
grafana: A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-27846)
grafana: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.02.80B5.

影响组件

  • glib2
  • grafana

影响产品

  • CGSL MAIN 6.02

更新包

{"fix":[{"product":"CGSL MAIN 6.02","pkgs":[{"binary":["glib2-tests-2.56.4-10.el8_4.x86_64.rpm","glib2-debugsource-2.56.4-10.el8_4.x86_64.rpm","glib2-fam-debuginfo-2.56.4-10.el8_4.x86_64.rpm","glib2-tests-debuginfo-2.56.4-10.el8_4.x86_64.rpm","glib2-static-2.56.4-10.el8_4.x86_64.rpm","glib2-devel-debuginfo-2.56.4-10.el8_4.x86_64.rpm","glib2-devel-2.56.4-10.el8_4.x86_64.rpm","glib2-2.56.4-10.el8_4.x86_64.rpm","glib2-debuginfo-2.56.4-10.el8_4.x86_64.rpm","glib2-fam-2.56.4-10.el8_4.x86_64.rpm"],"source":"glib2-2.56.4-10.el8_4.src.rpm"},{"binary":["grafana-debuginfo-7.3.6-2.el8.x86_64.rpm","grafana-7.3.6-2.el8.x86_64.rpm"],"source":"grafana-7.3.6-2.el8.src.rpm"}]}]}

CVE

参考