Advisory: An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.) (CVE-2021-28153) SRPMS: glib2.0-2.66.8-1.mga8.src.rpm mingw-glib2-2.66.8-1.mga8.src.rpm i586: glib2.0-common-2.66.8-1.mga8.i586.rpm glib2.0-tests-2.66.8-1.mga8.i586.rpm glib-gettextize-2.66.8-1.mga8.i586.rpm libgio2.0_0-2.66.8-1.mga8.i586.rpm libglib2.0_0-2.66.8-1.mga8.i586.rpm libglib2.0-devel-2.66.8-1.mga8.i586.rpm libglib2.0-static-devel-2.66.8-1.mga8.i586.rpm mingw32-glib2-2.66.8-1.mga8.noarch.rpm mingw32-glib2-static-2.66.8-1.mga8.noarch.rpm mingw64-glib2-2.66.8-1.mga8.noarch.rpm mingw64-glib2-static-2.66.8-1.mga8.noarch.rpm x86_64: glib2.0-common-2.66.8-1.mga8.x86_64.rpm glib2.0-tests-2.66.8-1.mga8.x86_64.rpm glib-gettextize-2.66.8-1.mga8.x86_64.rpm lib64gio2.0_0-2.66.8-1.mga8.x86_64.rpm lib64glib2.0_0-2.66.8-1.mga8.x86_64.rpm lib64glib2.0-devel-2.66.8-1.mga8.x86_64.rpm lib64glib2.0-static-devel-2.66.8-1.mga8.x86_64.rpm mingw32-glib2-2.66.8-1.mga8.noarch.rpm mingw32-glib2-static-2.66.8-1.mga8.noarch.rpm mingw64-glib2-2.66.8-1.mga8.noarch.rpm mingw64-glib2-static-2.66.8-1.mga8.noarch.rpm
Blocks: (none) => 28520
mga8, x64 Working on this: CVE-2021-28153 https://gitlab.gnome.org/GNOME/glib/-/issues/2325 Downloaded the symlink.tar file. Checked that there were no old moo files lying about. Launched caja in the target directory. Selected symlink.tar then Extract. This extracted a text file to the target directory with contents "moo" and also created an empty file /tmp/moo. No sign of a symbolic link though. Not sure what to make of that. Upstream uses file-roller but file-roller does not work for me. Edited /tmp/moo to contain a line of text. Removed moo from the target directory and ran the exercise again. $ cat moo moo $ cat /tmp/moo Been here before. So, no overwrite of existing /tmp file. Created an empty moo file in /tmp. $ rm -f moo $ touch moo Back to target directory and followed the loop again. $ rm -f moo $ caja . Ran Extract on symlink.tar again. No change. Local text file moo appears and /tmp contains an empty moo file. Still do not know what to make of it. Shall go ahead with the update but I do not expect anything to change.
CC: (none) => tarazed25
Updated glib2 and minggw64-glib2 packages. Started with no moo file in target or /tmp directories. The extraction created a moo file in the target directory, nothing in /tmp. Repeated the extraction after removing target moo file and creating empty file moo in /tmp. Again, nothing untoward happened. /tmp/moo is untouched and there is no symlink. This represents an improvement over the previous behaviour where an unwanted moo file was created in /tmp. As said, I am not too sure about these tests but the impression given is that there is no longer a problem. gedit occurs in the list of applications using glib2.0. Tried editing a short file. $ strace -o gedit.trace gedit $ grep glib gedit.trace ..... openat(AT_FDCWD, "/home/lcl/.local/share/glib-2.0/schemas/gschemas.compiled", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/lib64/libdbus-glib-1.so.2", O_RDONLY|O_CLOEXEC) = 11 $ strace -o im.trace identify Pictures/Vanuata.jpg ................... $ grep glib im.trace openat(AT_FDCWD, "/lib64/libglib-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3 $ strace -o parole.trace parole Transports_du_futur.mp4 $ grep glib parole.trace openat(AT_FDCWD, "/lib64/libdbus-glib-1.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libglib-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3 All these applications work fine.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 0.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => ouaurelienKeywords: (none) => advisoryCVE: (none) => CVE-2021-28153Source RPM: glib2.0 => glib2.0-2.66.7-1.mga8.src.rpm
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0162.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Ubuntu has issued an advisory for this on March 15: https://ubuntu.com/security/notices/USN-4764-1
Fedora has issued an advisory for this on March 22: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6RXTD5HCP2K4AAUSWWZTBKQNHRCTAEOF/