Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 775632 (CVE-2021-28153) - <dev-libs/glib-2.66.8: symlink attack vulnerability (CVE-2021-28153)
Summary: <dev-libs/glib-2.66.8: symlink attack vulnerability (CVE-2021-28153)
Status: RESOLVED FIXED
Alias: CVE-2021-28153
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://gitlab.gnome.org/GNOME/glib/-...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-12 13:53 UTC by John Helmert III
Modified: 2021-07-07 08:05 UTC (History)
1 user (show)

See Also:
Package list:
dev-libs/glib-2.66.8 dev-util/gdbus-codegen-2.66.8 dev-util/glib-utils-2.66.8
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-03-12 13:53:24 UTC
CVE-2021-28153:

An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)
Comment 1 Larry the Git Cow gentoo-dev 2021-05-24 01:47:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfb89fe932d61ae8c986bbc23c701da16c049bb6

commit dfb89fe932d61ae8c986bbc23c701da16c049bb6
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-05-24 01:42:46 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-05-24 01:46:30 +0000

    dev-libs/glib: bump to v2.66.8
    
    Bug: https://bugs.gentoo.org/775632
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-libs/glib/Manifest           |   1 +
 dev-libs/glib/glib-2.66.8.ebuild | 290 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 291 insertions(+)
Comment 2 Thomas Deutschmann gentoo-dev Security 2021-05-24 01:49:00 UTC
2.68.x is also fine (https://gitlab.gnome.org/GNOME/glib/-/commit/c80528f17ba25ea7d7089946926b93a98bd1479e) but let's go with 2.66.8 for now.
Comment 3 Thomas Deutschmann gentoo-dev Security 2021-05-24 01:50:46 UTC
Added to an existing GLSA request.
Comment 4 Thomas Deutschmann gentoo-dev Security 2021-05-26 13:18:04 UTC
Hrm, we also need =dev-util/gdbus-codegen-$PV.
Comment 5 Sam James archtester gentoo-dev Security 2021-05-26 13:40:43 UTC
We need more than that, I think. I think we need the whole suite which was in the previous mask.

https://github.com/gentoo/gentoo/commit/75fe56f89850c7ce77920fb2b682d631f19c46c6
Comment 6 Thomas Deutschmann gentoo-dev Security 2021-05-26 13:43:49 UTC
Hopefully not, it is just a minor update. But let's wait for maintainer feedback.
Comment 7 NATTkA bot gentoo-dev 2021-05-26 13:48:23 UTC Comment hidden (obsolete)
Comment 8 Sam James archtester gentoo-dev Security 2021-05-26 13:53:43 UTC
(In reply to Thomas Deutschmann from comment #6)
> Hopefully not, it is just a minor update. But let's wait for maintainer
> feedback.

Oh, sorry, I misread 2.68!
Comment 9 Matt Turner gentoo-dev 2021-05-26 21:22:06 UTC
(In reply to Thomas Deutschmann from comment #6)
> Hopefully not, it is just a minor update. But let's wait for maintainer
> feedback.

I'm sorry. I don't know how I missed this bug. Sorry for not bumping glib-2.66.8 sooner.

FWIW, I've been documenting the collections of packages that need to be bumped together here: https://wiki.gentoo.org/wiki/Project:GNOME/GNOME_Bumping_Guide

For glib, there's gdbus-codegen as you found, and also glib-utils. Likely nothing changed in the couple of files in glib-utils between 2.66.7 and 2.66.8 but I've bumped it anyway.

Let's try this again!
Comment 10 Sam James archtester gentoo-dev Security 2021-05-27 19:14:22 UTC
x86 done
Comment 11 Sam James archtester gentoo-dev Security 2021-05-27 19:16:45 UTC
amd64 done
Comment 12 Rolf Eike Beer archtester 2021-05-30 10:22:47 UTC
sparc stable
Comment 13 Sam James archtester gentoo-dev Security 2021-06-01 00:46:09 UTC
arm done
Comment 14 Matt Turner gentoo-dev 2021-06-01 01:36:35 UTC
2.68.2 is now stable everywhere. No need to stabilize this version.
Comment 15 NATTkA bot gentoo-dev 2021-06-01 01:40:25 UTC Comment hidden (obsolete)
Comment 16 John Helmert III gentoo-dev Security 2021-06-01 16:23:42 UTC
Please cleanup.
Comment 17 Larry the Git Cow gentoo-dev 2021-06-04 03:12:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=54d68643a6e060731967b8d04231d3c0bc5a50f6

commit 54d68643a6e060731967b8d04231d3c0bc5a50f6
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2021-06-04 03:06:32 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2021-06-04 03:11:53 +0000

    dev-libs/glib: Drop old versions
    
    Bug: https://bugs.gentoo.org/775632
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 dev-libs/glib/Manifest           |   4 -
 dev-libs/glib/glib-2.66.7.ebuild | 290 ---------------------------------------
 dev-libs/glib/glib-2.66.8.ebuild | 286 --------------------------------------
 dev-libs/glib/glib-2.68.0.ebuild | 288 --------------------------------------
 dev-libs/glib/glib-2.68.1.ebuild | 288 --------------------------------------
 5 files changed, 1156 deletions(-)
Comment 18 NATTkA bot gentoo-dev 2021-06-04 03:16:42 UTC
Unable to check for sanity:

> no match for package: dev-libs/glib-2.66.8
Comment 19 John Helmert III gentoo-dev Security 2021-06-04 13:24:01 UTC
Thanks!
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2021-07-07 08:05:50 UTC
This issue was resolved and addressed in
 GLSA 202107-13 at https://security.gentoo.org/glsa/202107-13
by GLSA coordinator Sam James (sam_c).