Summary: | <dev-libs/glib-2.66.8: symlink attack vulnerability (CVE-2021-28153) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gnome |
Priority: | Normal | Flags: | nattka:
sanity-check-
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://gitlab.gnome.org/GNOME/glib/-/issues/2325 | ||
Whiteboard: | A3 [glsa+ cve] | ||
Package list: |
dev-libs/glib-2.66.8
dev-util/gdbus-codegen-2.66.8
dev-util/glib-utils-2.66.8
|
Runtime testing required: | --- |
Description
John Helmert III
![]() ![]() ![]() ![]() The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfb89fe932d61ae8c986bbc23c701da16c049bb6 commit dfb89fe932d61ae8c986bbc23c701da16c049bb6 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2021-05-24 01:42:46 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2021-05-24 01:46:30 +0000 dev-libs/glib: bump to v2.66.8 Bug: https://bugs.gentoo.org/775632 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-libs/glib/Manifest | 1 + dev-libs/glib/glib-2.66.8.ebuild | 290 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 291 insertions(+) 2.68.x is also fine (https://gitlab.gnome.org/GNOME/glib/-/commit/c80528f17ba25ea7d7089946926b93a98bd1479e) but let's go with 2.66.8 for now. Added to an existing GLSA request. Hrm, we also need =dev-util/gdbus-codegen-$PV. We need more than that, I think. I think we need the whole suite which was in the previous mask. https://github.com/gentoo/gentoo/commit/75fe56f89850c7ce77920fb2b682d631f19c46c6 Hopefully not, it is just a minor update. But let's wait for maintainer feedback. Resetting sanity check; keywords are not fully specified and arches are not CC-ed. (In reply to Thomas Deutschmann from comment #6) > Hopefully not, it is just a minor update. But let's wait for maintainer > feedback. Oh, sorry, I misread 2.68! (In reply to Thomas Deutschmann from comment #6) > Hopefully not, it is just a minor update. But let's wait for maintainer > feedback. I'm sorry. I don't know how I missed this bug. Sorry for not bumping glib-2.66.8 sooner. FWIW, I've been documenting the collections of packages that need to be bumped together here: https://wiki.gentoo.org/wiki/Project:GNOME/GNOME_Bumping_Guide For glib, there's gdbus-codegen as you found, and also glib-utils. Likely nothing changed in the couple of files in glib-utils between 2.66.7 and 2.66.8 but I've bumped it anyway. Let's try this again! x86 done amd64 done sparc stable arm done 2.68.2 is now stable everywhere. No need to stabilize this version. Resetting sanity check; keywords are not fully specified and arches are not CC-ed. Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=54d68643a6e060731967b8d04231d3c0bc5a50f6 commit 54d68643a6e060731967b8d04231d3c0bc5a50f6 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2021-06-04 03:06:32 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2021-06-04 03:11:53 +0000 dev-libs/glib: Drop old versions Bug: https://bugs.gentoo.org/775632 Signed-off-by: Matt Turner <mattst88@gentoo.org> dev-libs/glib/Manifest | 4 - dev-libs/glib/glib-2.66.7.ebuild | 290 --------------------------------------- dev-libs/glib/glib-2.66.8.ebuild | 286 -------------------------------------- dev-libs/glib/glib-2.68.0.ebuild | 288 -------------------------------------- dev-libs/glib/glib-2.68.1.ebuild | 288 -------------------------------------- 5 files changed, 1156 deletions(-) Unable to check for sanity:
> no match for package: dev-libs/glib-2.66.8
Thanks! This issue was resolved and addressed in GLSA 202107-13 at https://security.gentoo.org/glsa/202107-13 by GLSA coordinator Sam James (sam_c). |