Bug 28612

Summary: glib2.0 new security issue CVE-2021-28153
Product: Mageia Reporter: Thomas Backlund <tmb>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, ouaurelien, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: glib2.0-2.66.7-1.mga8.src.rpm CVE: CVE-2021-28153
Status comment:
Bug Depends on:    
Bug Blocks: 28520    

Description Thomas Backlund 2021-03-18 17:13:47 CET 
Advisory:
An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace()
is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is
a dangling symlink, it incorrectly also creates the target of the symlink
as an empty file, which could conceivably have security relevance if the
symlink is attacker-controlled. (If the path is a symlink to a file that
already exists, then the contents of that file correctly remain unchanged.)
(CVE-2021-28153) 

SRPMS:
glib2.0-2.66.8-1.mga8.src.rpm
mingw-glib2-2.66.8-1.mga8.src.rpm


i586:
glib2.0-common-2.66.8-1.mga8.i586.rpm
glib2.0-tests-2.66.8-1.mga8.i586.rpm
glib-gettextize-2.66.8-1.mga8.i586.rpm
libgio2.0_0-2.66.8-1.mga8.i586.rpm
libglib2.0_0-2.66.8-1.mga8.i586.rpm
libglib2.0-devel-2.66.8-1.mga8.i586.rpm
libglib2.0-static-devel-2.66.8-1.mga8.i586.rpm

mingw32-glib2-2.66.8-1.mga8.noarch.rpm
mingw32-glib2-static-2.66.8-1.mga8.noarch.rpm
mingw64-glib2-2.66.8-1.mga8.noarch.rpm
mingw64-glib2-static-2.66.8-1.mga8.noarch.rpm



x86_64:
glib2.0-common-2.66.8-1.mga8.x86_64.rpm
glib2.0-tests-2.66.8-1.mga8.x86_64.rpm
glib-gettextize-2.66.8-1.mga8.x86_64.rpm
lib64gio2.0_0-2.66.8-1.mga8.x86_64.rpm
lib64glib2.0_0-2.66.8-1.mga8.x86_64.rpm
lib64glib2.0-devel-2.66.8-1.mga8.x86_64.rpm
lib64glib2.0-static-devel-2.66.8-1.mga8.x86_64.rpm

mingw32-glib2-2.66.8-1.mga8.noarch.rpm
mingw32-glib2-static-2.66.8-1.mga8.noarch.rpm
mingw64-glib2-2.66.8-1.mga8.noarch.rpm
mingw64-glib2-static-2.66.8-1.mga8.noarch.rpm
David Walser 2021-03-18 20:59:56 CET

Blocks: (none) => 28520

Comment 1 Len Lawrence 2021-03-25 20:14:33 CET 
mga8, x64

Working on this:
CVE-2021-28153
https://gitlab.gnome.org/GNOME/glib/-/issues/2325
Downloaded the symlink.tar file.
Checked that there were no old moo files lying about.
Launched caja in the target directory.
Selected symlink.tar then Extract.
This extracted a text file to the target directory with contents "moo" and also created an empty file /tmp/moo.  No sign of a symbolic link though.

Not sure what to make of that.  Upstream uses file-roller but file-roller does not work for me.

Edited /tmp/moo to contain a line of text.
Removed moo from the target directory and ran the exercise again.
$ cat moo
moo
$ cat /tmp/moo
Been here before.

So, no overwrite of existing /tmp file.
Created an empty moo file in /tmp.
$ rm -f moo
$ touch moo
Back to target directory and followed the loop again.
$ rm -f moo
$ caja .
Ran Extract on symlink.tar again.
No change.  Local text file moo appears and /tmp contains an empty moo file.

Still do not know what to make of it.

Shall go ahead with the update but I do not expect anything to change.

CC: (none) => tarazed25

Comment 2 Len Lawrence 2021-03-27 01:28:04 CET 
Updated glib2 and minggw64-glib2 packages.

Started with no moo file in target or /tmp directories.  The extraction created a moo file in the target directory, nothing in /tmp.
Repeated the extraction after removing target moo file and creating empty file moo in /tmp.
Again, nothing untoward happened.  /tmp/moo is untouched and there is no symlink.

This represents an improvement over the previous behaviour where an unwanted moo file was created in /tmp.

As said, I am not too sure about these tests but the impression given is that there is no longer a problem.

gedit occurs in the list of applications using glib2.0.  Tried editing a short file.
$ strace -o gedit.trace gedit 
$ grep glib gedit.trace
.....
openat(AT_FDCWD, "/home/lcl/.local/share/glib-2.0/schemas/gschemas.compiled", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libdbus-glib-1.so.2", O_RDONLY|O_CLOEXEC) = 11

$ strace -o im.trace identify Pictures/Vanuata.jpg
...................
$ grep glib im.trace 
openat(AT_FDCWD, "/lib64/libglib-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3

$ strace -o parole.trace parole Transports_du_futur.mp4
$ grep glib parole.trace
openat(AT_FDCWD, "/lib64/libdbus-glib-1.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libglib-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3

All these applications work fine.

Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2021-03-27 15:14:17 CET 
Validating. Advisory in Comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2021-03-30 17:00:38 CEST

CC: (none) => ouaurelien
Keywords: (none) => advisory
CVE: (none) => CVE-2021-28153
Source RPM: glib2.0 => glib2.0-2.66.7-1.mga8.src.rpm

Comment 4 Mageia Robot 2021-03-30 22:11:09 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0162.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 5 David Walser 2021-05-28 20:16:31 CEST 
Ubuntu has issued an advisory for this on March 15:
https://ubuntu.com/security/notices/USN-4764-1
Comment 6 David Walser 2021-05-29 19:34:11 CEST 
Fedora has issued an advisory for this on March 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6RXTD5HCP2K4AAUSWWZTBKQNHRCTAEOF/