Bug 286102 (CVE-2009-3289)

Summary:

<dev-libs/glib-2.20.5-r1: symlink permission error (CVE-2009-3289)

Product:

Gentoo Security

Reporter:

Alex Legler (RETIRED) <a3li>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

normal

CC:

axiator, gnome

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

https://bugs.launchpad.net/ubuntu/+source/glib2.0/+bug/418135

Whiteboard:

A3 [noglsa]

Package list:

Runtime testing required:

---

Bug Depends on:

292292

Bug Blocks:

Attachments:

Description	Flags
glib2-CVE-2009-3289.patch	none

Description Alex Legler (RETIRED) archtester

2009-09-23 15:18:59 UTC

CVE-2009-3289 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3289):
  The g_file_copy function in glib 2.0 sets the permissions of a target
  file to the permissions of a symbolic link (777), which allows
  user-assisted local users to modify files of other users, as
  demonstrated by using Nautilus to modify the permissions of the user
  home directory.

Comment 1 Alex Legler (RETIRED) archtester

2009-09-23 15:27:36 UTC

Created attachment 205029 [details, diff]
glib2-CVE-2009-3289.patch

Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=593406

The patch covers the following commits:
commit 3826963e65d8c4c68bcd3e4066505f63ef734b95
commit 48e0af0157f52ac12b904bd92540432a18b139c7
commit bb7852e34b1845e516290e1b45a960a345ee8a43
commit fc44bf40a4eff8e122b223e97ee5efcbc548be03
commit e695c0932f5d02f3b222f0b7a3de1f8c00ba7b81

Comment 2 Stefan Behte (RETIRED) gentoo-dev

2009-11-06 14:56:22 UTC

gnome: can you apply the patch?

Comment 3 Romain Perier (RETIRED) gentoo-dev

2009-11-06 19:55:36 UTC

See the following discussion on IRC with a3li :
<mrpouet> a3li: ping
<a3li> mrpouet: ¿sì?
<mrpouet> security fix for glib is only for 2.20.5 not for 2.22.2, this patch is already present in 2.22.2 :)
<mrpouet> see timeline (git.gnome.org/cgit/glib)
<mrpouet> there is a tag for 2.22.2 date : 2009-10-07, your patch contains fixes commited before this release bugfixes (2009-10-01)
<a3li> mrpouet: okay. how do you want to proceed?
<mrpouet> so your patch is good just for 2.20.5, so I'll commit this patch for 2.20.5 (with a revbump)
<mrpouet> then we must ask a stablereq in few days
<a3li> mrpouet: and that .5-r1 is your candidate for stabilization then, I guess
<mrpouet> exactly :)

This security fix is only for glib-2.20.5 because glib-2.22.2 already includes it, I commited it for 2.20.5 with a revbump in the main tree :)

Comment 4 Alex Legler (RETIRED) archtester

2009-11-06 19:59:16 UTC

Arches, please test and mark stable:
=dev-libs/glib-2.20.5-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Comment 5 Christian Faulhammer (RETIRED) gentoo-dev

2009-11-07 17:09:49 UTC

x86 stable

Comment 6 Tobias Klausmann (RETIRED) gentoo-dev

2009-11-07 21:20:03 UTC

Stbale on alpha.

Comment 7 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev

2009-11-08 23:03:26 UTC

I found bug 292439 but there is around no chance someone fail on it.

So, ppc stable.

Comment 8 Markus Meier gentoo-dev

2009-11-09 12:45:06 UTC

amd64/arm stable

Comment 9 Tiago Cunha (RETIRED) gentoo-dev

2009-11-09 15:43:13 UTC

sparc stable

Comment 10 Raúl Porcel (RETIRED) gentoo-dev

2009-11-10 18:29:00 UTC

ia64/m68k/s390/sh stable

Comment 11 Jeroen Roovers (RETIRED) gentoo-dev

2009-11-11 00:47:03 UTC

  09 Nov 2009; Jeroen Roovers <jer@gentoo.org> glib-2.20.5-r1.ebuild:
  Stable for HPPA (bug #286102).

Comment 12 Brent Baude (RETIRED) gentoo-dev

2009-11-17 16:19:38 UTC

ppc64 done

Comment 13 Stefan Behte (RETIRED) gentoo-dev

2009-12-18 01:59:54 UTC

Added to pending glsa.

Comment 14 Gilles Dartiguelongue (RETIRED) gentoo-dev

2012-06-23 12:30:47 UTC

We are running to a three years delay. Is this still worth a glsa ?

Comment 15 Sean Amoss (RETIRED) gentoo-dev

2014-05-31 22:20:11 UTC

This issue has been fixed since Nov 17, 2009. No GLSA will be issued. However, users will be encouraged to update in a future GLSA.