Your message dated Mon, 15 Mar 2021 22:18:28 +0000
with message-id <[email protected]>
and subject line Bug#984969: fixed in glib2.0 2.67.6-1
has caused the Debian Bug report #984969,
regarding libglib2.0-0: CVE-2021-28153: g_file_replace() with
G_FILE_CREATE_REPLACE_DESTINATION creates empty target for dangling symlink
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
984969: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984969
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libglib2.0-0
Version: 2.66.7-1
Severity: important
Tags: security fixed-upstream
Forwarded: https://gitlab.gnome.org/GNOME/glib/-/issues/2325
Control: affects -1 file-roller
X-Debbugs-Cc: Debian Security Team <[email protected]>
When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to
replace a path that is a dangling symlink, it incorrectly also creates
the target of the symlink as an empty file, which could conceivably be
security-sensitive if the symlink is attacker-controlled.
This is fixed in the upstream glib-2-66 branch.
Mitigation: creating a non-empty file does not appear to be possible,
and overwriting an existing file via a non-dangling symlink also does
not appear to be possible.
This can affect GNOME's file-roller, and probably other GLib-based
unarchivers, when unpacking an attacker-controlled archive.
I've requested a CVE ID from MITRE.
smcv
--- End Message ---
--- Begin Message ---
Source: glib2.0
Source-Version: 2.67.6-1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
glib2.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated glib2.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 15 Mar 2021 18:18:48 +0000
Source: glib2.0
Architecture: source
Version: 2.67.6-1
Distribution: experimental
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 984969
Changes:
glib2.0 (2.67.6-1) experimental; urgency=medium
.
* New upstream release
- This fixes a symlink attack affecting file-roller.
When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION
to replace a path that is a dangling symlink, previously it would
have also created the target of the symlink as an empty file, which
could conceivably be security-sensitive if the symlink is
attacker-controlled. (Closes: #984969; CVE-2021-28153)
* Revert test-dependency on libc6-dev, which should no longer be
necessary with the new upstream release.
Checksums-Sha1:
7f0abbace3030685adc4a3c1aefc759175c3f86b 3506 glib2.0_2.67.6-1.dsc
cfaa92d7bf596c5e0b48958ad35c724ea811697e 4935624 glib2.0_2.67.6.orig.tar.xz
b31117c898d0e11902d4f57d54bf8d692ecb99ea 98592 glib2.0_2.67.6-1.debian.tar.xz
cd320637fe8711815d3fb767dd1def9681db70f8 6942 glib2.0_2.67.6-1_source.buildinfo
Checksums-Sha256:
f617a8bc107b83aa137140b62c5ae32dca78e438f6b5fbb4cc51db908d1013f1 3506
glib2.0_2.67.6-1.dsc
dd7f563509b410e8f94ef2d4cc7f74620a6b29d7c5d529fedec53c5e8018d9c5 4935624
glib2.0_2.67.6.orig.tar.xz
682ca6cf396c4d1ecbdb7d4d18fcb98ec6e9dad5122f8c9abb6bc2b5b32fbb46 98592
glib2.0_2.67.6-1.debian.tar.xz
34ac18f3b25e3b6a2713ef7d401d592cd351c32f28be0686815746b91ab3725f 6942
glib2.0_2.67.6-1_source.buildinfo
Files:
d26194940dd0208d21bd660d509afe13 3506 libs optional glib2.0_2.67.6-1.dsc
e0158d4bc575d9301a91341cb35310b4 4935624 libs optional
glib2.0_2.67.6.orig.tar.xz
04f1d8753238cdaae735e3d5190d1f4d 98592 libs optional
glib2.0_2.67.6-1.debian.tar.xz
62cfd09f469ecc80dca7e6fd5c4caf18 6942 libs optional
glib2.0_2.67.6-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmBP2AQACgkQ4FrhR4+B
TE/fcw//QQaShJrYbpbx4dk7Osz4liI8NYAPsnXJFjeOyTSXCONnb7Wd8fO+Jf5m
9Fvs5zRZOh76sqSJyxj8Sft/SIfzXecB20T0QYxH72M/1BHf/b63zs6MuN55wgS7
/Wqf2Kbma5f9ypXDQOBu5e7xfnc7P1RHsrJW+obWnH62amRBxfjUE1ce7Ev0l/ky
2lmxyDmDmKegOPNjxe1DqAxE+0C+MNKB+PRZn7Vzxb5kca2uGutIOA09CjoJLVXB
8CDwv4bOzLjsINPkPVz5Y6FtMA8uZ/P6iSZ3ROXMnuC8wWka9dav+9wf4Ty7JNTv
tHlh4mSSFtQM2NgoX5SeJ8+xoDwJnbq18YhvbkFrlo9mEze18EEP8FjD9v6ncX8j
Sa8wfsCiznq5gbw7qr7JP9+4b2jYknFy36d63SwV/aC1whUKL7mc4MVUZOprXR2g
6/p689G+ukAc1LlLnpxq5qP0e7SwZN5OGbm+HhrgOlpBB1M69t4Znn9/x0T3zfpg
Lma50+QeYcnv3m1TzFSdsNsFpu+mkmXEaaupPEGfT93BTcT96Ky0EBCZ/HSYmPRL
mwGVQ9y5YVj0Ii/3O3cjaAysUz9NJw0p3XLoSUM/qvCUgznZAjU3McBdGMeMcKpT
pnXJKYxmMDCZ6uuBIi6f8sUmi/s2GCs1F1AWogvxCMPpEkrsx8c=
=MibH
-----END PGP SIGNATURE-----
--- End Message ---
