CVE-2021-28153: An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfb89fe932d61ae8c986bbc23c701da16c049bb6 commit dfb89fe932d61ae8c986bbc23c701da16c049bb6 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2021-05-24 01:42:46 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2021-05-24 01:46:30 +0000 dev-libs/glib: bump to v2.66.8 Bug: https://bugs.gentoo.org/775632 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-libs/glib/Manifest | 1 + dev-libs/glib/glib-2.66.8.ebuild | 290 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 291 insertions(+)
2.68.x is also fine (https://gitlab.gnome.org/GNOME/glib/-/commit/c80528f17ba25ea7d7089946926b93a98bd1479e) but let's go with 2.66.8 for now.
Added to an existing GLSA request.
Hrm, we also need =dev-util/gdbus-codegen-$PV.
We need more than that, I think. I think we need the whole suite which was in the previous mask. https://github.com/gentoo/gentoo/commit/75fe56f89850c7ce77920fb2b682d631f19c46c6
Hopefully not, it is just a minor update. But let's wait for maintainer feedback.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
(In reply to Thomas Deutschmann from comment #6) > Hopefully not, it is just a minor update. But let's wait for maintainer > feedback. Oh, sorry, I misread 2.68!
(In reply to Thomas Deutschmann from comment #6) > Hopefully not, it is just a minor update. But let's wait for maintainer > feedback. I'm sorry. I don't know how I missed this bug. Sorry for not bumping glib-2.66.8 sooner. FWIW, I've been documenting the collections of packages that need to be bumped together here: https://wiki.gentoo.org/wiki/Project:GNOME/GNOME_Bumping_Guide For glib, there's gdbus-codegen as you found, and also glib-utils. Likely nothing changed in the couple of files in glib-utils between 2.66.7 and 2.66.8 but I've bumped it anyway. Let's try this again!
x86 done
amd64 done
sparc stable
arm done
2.68.2 is now stable everywhere. No need to stabilize this version.
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=54d68643a6e060731967b8d04231d3c0bc5a50f6 commit 54d68643a6e060731967b8d04231d3c0bc5a50f6 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2021-06-04 03:06:32 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2021-06-04 03:11:53 +0000 dev-libs/glib: Drop old versions Bug: https://bugs.gentoo.org/775632 Signed-off-by: Matt Turner <mattst88@gentoo.org> dev-libs/glib/Manifest | 4 - dev-libs/glib/glib-2.66.7.ebuild | 290 --------------------------------------- dev-libs/glib/glib-2.66.8.ebuild | 286 -------------------------------------- dev-libs/glib/glib-2.68.0.ebuild | 288 -------------------------------------- dev-libs/glib/glib-2.68.1.ebuild | 288 -------------------------------------- 5 files changed, 1156 deletions(-)
Unable to check for sanity: > no match for package: dev-libs/glib-2.66.8
Thanks!
This issue was resolved and addressed in GLSA 202107-13 at https://security.gentoo.org/glsa/202107-13 by GLSA coordinator Sam James (sam_c).
