Bug 775632 (CVE-2021-28153)

Summary:	<dev-libs/glib-2.66.8: symlink attack vulnerability (CVE-2021-28153)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	gnome
Priority:	Normal	Flags:	nattka: sanity-check-
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://gitlab.gnome.org/GNOME/glib/-/issues/2325
Whiteboard:	A3 [glsa+ cve]
Package list:	dev-libs/glib-2.66.8 dev-util/gdbus-codegen-2.66.8 dev-util/glib-utils-2.66.8	Runtime testing required:	---

Description John Helmert III archtester

2021-03-12 13:53:24 UTC

CVE-2021-28153:

An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)

Comment 1 Larry the Git Cow gentoo-dev

2021-05-24 01:47:03 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfb89fe932d61ae8c986bbc23c701da16c049bb6

commit dfb89fe932d61ae8c986bbc23c701da16c049bb6
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-05-24 01:42:46 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-05-24 01:46:30 +0000

    dev-libs/glib: bump to v2.66.8
    
    Bug: https://bugs.gentoo.org/775632
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-libs/glib/Manifest           |   1 +
 dev-libs/glib/glib-2.66.8.ebuild | 290 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 291 insertions(+)

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-24 01:49:00 UTC

2.68.x is also fine (https://gitlab.gnome.org/GNOME/glib/-/commit/c80528f17ba25ea7d7089946926b93a98bd1479e) but let's go with 2.66.8 for now.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-24 01:50:46 UTC

Added to an existing GLSA request.

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-26 13:18:04 UTC

Hrm, we also need =dev-util/gdbus-codegen-$PV.

Comment 5 Sam James archtester

2021-05-26 13:40:43 UTC

We need more than that, I think. I think we need the whole suite which was in the previous mask.

https://github.com/gentoo/gentoo/commit/75fe56f89850c7ce77920fb2b682d631f19c46c6

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-26 13:43:49 UTC

Hopefully not, it is just a minor update. But let's wait for maintainer feedback.

Comment 7 NATTkA bot gentoo-dev

2021-05-26 13:48:23 UTC Comment hidden (obsolete)

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 8 Sam James archtester

2021-05-26 13:53:43 UTC

(In reply to Thomas Deutschmann from comment #6)
> Hopefully not, it is just a minor update. But let's wait for maintainer
> feedback.

Oh, sorry, I misread 2.68!

Comment 9 Matt Turner gentoo-dev

2021-05-26 21:22:06 UTC

(In reply to Thomas Deutschmann from comment #6)
> Hopefully not, it is just a minor update. But let's wait for maintainer
> feedback.

I'm sorry. I don't know how I missed this bug. Sorry for not bumping glib-2.66.8 sooner.

FWIW, I've been documenting the collections of packages that need to be bumped together here: https://wiki.gentoo.org/wiki/Project:GNOME/GNOME_Bumping_Guide

For glib, there's gdbus-codegen as you found, and also glib-utils. Likely nothing changed in the couple of files in glib-utils between 2.66.7 and 2.66.8 but I've bumped it anyway.

Let's try this again!

Comment 10 Sam James archtester

2021-05-27 19:14:22 UTC

x86 done

Comment 11 Sam James archtester

2021-05-27 19:16:45 UTC

amd64 done

Comment 12 Rolf Eike Beer archtester

2021-05-30 10:22:47 UTC

sparc stable

Comment 13 Sam James archtester

2021-06-01 00:46:09 UTC

arm done

Comment 14 Matt Turner gentoo-dev

2021-06-01 01:36:35 UTC

2.68.2 is now stable everywhere. No need to stabilize this version.

Comment 15 NATTkA bot gentoo-dev

2021-06-01 01:40:25 UTC Comment hidden (obsolete)

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 16 John Helmert III archtester

2021-06-01 16:23:42 UTC

Please cleanup.

Comment 17 Larry the Git Cow gentoo-dev

2021-06-04 03:12:18 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=54d68643a6e060731967b8d04231d3c0bc5a50f6

commit 54d68643a6e060731967b8d04231d3c0bc5a50f6
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2021-06-04 03:06:32 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2021-06-04 03:11:53 +0000

    dev-libs/glib: Drop old versions
    
    Bug: https://bugs.gentoo.org/775632
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 dev-libs/glib/Manifest           |   4 -
 dev-libs/glib/glib-2.66.7.ebuild | 290 ---------------------------------------
 dev-libs/glib/glib-2.66.8.ebuild | 286 --------------------------------------
 dev-libs/glib/glib-2.68.0.ebuild | 288 --------------------------------------
 dev-libs/glib/glib-2.68.1.ebuild | 288 --------------------------------------
 5 files changed, 1156 deletions(-)

Comment 18 NATTkA bot gentoo-dev

2021-06-04 03:16:42 UTC

Unable to check for sanity:

> no match for package: dev-libs/glib-2.66.8

Comment 19 John Helmert III archtester

2021-06-04 13:24:01 UTC

Thanks!

Comment 20 GLSAMaker/CVETool Bot gentoo-dev

2021-07-07 08:05:50 UTC

This issue was resolved and addressed in
 GLSA 202107-13 at https://security.gentoo.org/glsa/202107-13
by GLSA coordinator Sam James (sam_c).