Re: glib vulnerable to CVE-2021-28153

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: glib vulnerable to CVE-2021-28153

From:	Mark H Weaver
Subject:	Re: glib vulnerable to CVE-2021-28153
Date:	Fri, 12 Mar 2021 01:47:04 -0500

Hi Léo,

Léo Le Bouter <lle-bout@zaclys.net> writes:

> CVE-2021-28153        11.03.21 23:15
> An issue was discovered in GNOME GLib before 2.66.8. When
> g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to
> replace a path that is a dangling symlink, it incorrectly also creates
> the target of the symlink as an empty file, which could conceivably
> have security relevance if the symlink is attacker-controlled. (If the
> path is a symlink to a file that already exists, then the contents of
> that file correctly remain unchanged.)
>
> Another CVE just out,
>
> See: https://gitlab.gnome.org/GNOME/glib/-/issues/2325
>
> We need to backport another patch again it seems?

Thanks.  I backported the upstream fix, and pushed it to 'master' in
commit 5a06b83fc92710c5846a83bbf49f0ea84c8ecec2.

      Mark

[Prev in Thread]

Current Thread

[Next in Thread]

glib vulnerable to CVE-2021-28153, Léo Le Bouter, 2021/03/11
- Re: glib vulnerable to CVE-2021-28153, Mark H Weaver <=
  - Re: glib vulnerable to CVE-2021-28153, Léo Le Bouter, 2021/03/12

Prev by Date: glib vulnerable to CVE-2021-28153
Next by Date: Re: glib vulnerable to CVE-2021-28153
Previous by thread: glib vulnerable to CVE-2021-28153
Next by thread: Re: glib vulnerable to CVE-2021-28153
Index(es):
- Date
- Thread