SB2020093029 - Red Hat Enterprise Linux 7 update for glib2 and ibus

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-12450)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to the application applies default directory permissions to files while copying them in file_copy_fallback() function in gio/gfile.c. A local user can interfere with the copying operation and gain access to otherwise restricted files, as the application applies correct access permissions after the file was copied only.

Such application behavior allows a local user to access potentially sensitive data or modify file contents in case directory permissions that were applied to the file allow such operations.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-14822)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to iBus does not check user privileges when allowing connection to the AF_UNIX socket. A local user can connect to an existing AF_UNIX socket and perform arbitrary actions, such read and send messages on behalf of another user connected on a graphical environment. 

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2020:3978