[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: glib vulnerable to CVE-2021-28153
From: |
Mark H Weaver |
Subject: |
Re: glib vulnerable to CVE-2021-28153 |
Date: |
Fri, 12 Mar 2021 01:47:04 -0500 |
Hi Léo,
Léo Le Bouter <lle-bout@zaclys.net> writes:
> CVE-2021-28153 11.03.21 23:15
> An issue was discovered in GNOME GLib before 2.66.8. When
> g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to
> replace a path that is a dangling symlink, it incorrectly also creates
> the target of the symlink as an empty file, which could conceivably
> have security relevance if the symlink is attacker-controlled. (If the
> path is a symlink to a file that already exists, then the contents of
> that file correctly remain unchanged.)
>
> Another CVE just out,
>
> See: https://gitlab.gnome.org/GNOME/glib/-/issues/2325
>
> We need to backport another patch again it seems?
Thanks. I backported the upstream fix, and pushed it to 'master' in
commit 5a06b83fc92710c5846a83bbf49f0ea84c8ecec2.
Mark