Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 286102 (CVE-2009-3289) - <dev-libs/glib-2.20.5-r1: symlink permission error (CVE-2009-3289)
Summary: <dev-libs/glib-2.20.5-r1: symlink permission error (CVE-2009-3289)
Status: RESOLVED FIXED
Alias: CVE-2009-3289
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: https://bugs.launchpad.net/ubuntu/+so...
Whiteboard: A3 [noglsa]
Keywords:
Depends on: 292292
Blocks:
  Show dependency tree
 
Reported: 2009-09-23 15:18 UTC by Alex Legler (RETIRED)
Modified: 2014-05-31 22:20 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
glib2-CVE-2009-3289.patch (glib2-CVE-2009-3289.patch,4.51 KB, patch)
2009-09-23 15:27 UTC, Alex Legler (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-23 15:18:59 UTC
CVE-2009-3289 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3289):
  The g_file_copy function in glib 2.0 sets the permissions of a target
  file to the permissions of a symbolic link (777), which allows
  user-assisted local users to modify files of other users, as
  demonstrated by using Nautilus to modify the permissions of the user
  home directory.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-23 15:27:36 UTC
Created attachment 205029 [details, diff]
glib2-CVE-2009-3289.patch

Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=593406

The patch covers the following commits:
commit 3826963e65d8c4c68bcd3e4066505f63ef734b95
commit 48e0af0157f52ac12b904bd92540432a18b139c7
commit bb7852e34b1845e516290e1b45a960a345ee8a43
commit fc44bf40a4eff8e122b223e97ee5efcbc548be03
commit e695c0932f5d02f3b222f0b7a3de1f8c00ba7b81
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-06 14:56:22 UTC
gnome: can you apply the patch?
Comment 3 Romain Perier (RETIRED) gentoo-dev 2009-11-06 19:55:36 UTC
See the following discussion on IRC with a3li :
<mrpouet> a3li: ping
<a3li> mrpouet: ¿sì?
<mrpouet> security fix for glib is only for 2.20.5 not for 2.22.2, this patch is already present in 2.22.2 :)
<mrpouet> see timeline (git.gnome.org/cgit/glib)
<mrpouet> there is a tag for 2.22.2 date : 2009-10-07, your patch contains fixes commited before this release bugfixes (2009-10-01)
<a3li> mrpouet: okay. how do you want to proceed?
<mrpouet> so your patch is good just for 2.20.5, so I'll commit this patch for 2.20.5 (with a revbump)
<mrpouet> then we must ask a stablereq in few days
<a3li> mrpouet: and that .5-r1 is your candidate for stabilization then, I guess
<mrpouet> exactly :)

This security fix is only for glib-2.20.5 because glib-2.22.2 already includes it, I commited it for 2.20.5 with a revbump in the main tree :)
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-06 19:59:16 UTC
Arches, please test and mark stable:
=dev-libs/glib-2.20.5-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-07 17:09:49 UTC
x86 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2009-11-07 21:20:03 UTC
Stbale on alpha.
Comment 7 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2009-11-08 23:03:26 UTC
I found bug 292439 but there is around no chance someone fail on it.

So, ppc stable.
Comment 8 Markus Meier gentoo-dev 2009-11-09 12:45:06 UTC
amd64/arm stable
Comment 9 Tiago Cunha (RETIRED) gentoo-dev 2009-11-09 15:43:13 UTC
sparc stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-11-10 18:29:00 UTC
ia64/m68k/s390/sh stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2009-11-11 00:47:03 UTC
  09 Nov 2009; Jeroen Roovers <jer@gentoo.org> glib-2.20.5-r1.ebuild:
  Stable for HPPA (bug #286102).
Comment 12 Brent Baude (RETIRED) gentoo-dev 2009-11-17 16:19:38 UTC
ppc64 done
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 01:59:54 UTC
Added to pending glsa.
Comment 14 Gilles Dartiguelongue (RETIRED) gentoo-dev 2012-06-23 12:30:47 UTC
We are running to a three years delay. Is this still worth a glsa ?
Comment 15 Sean Amoss (RETIRED) gentoo-dev Security 2014-05-31 22:20:11 UTC
This issue has been fixed since Nov 17, 2009. No GLSA will be issued. However, users will be encouraged to update in a future GLSA.