28612 – glib2.0 new security issue CVE-2021-28153

Bug 28612 - glib2.0 new security issue CVE-2021-28153

Summary: glib2.0 new security issue CVE-2021-28153

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:	28520
	Show dependency tree / graph

Reported:	2021-03-18 17:13 CET by Thomas Backlund
Modified:	2021-05-29 19:34 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	glib2.0-2.66.7-1.mga8.src.rpm
CVE:	CVE-2021-28153
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Thomas Backlund 2021-03-18 17:13:47 CET

Advisory:
An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace()
is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is
a dangling symlink, it incorrectly also creates the target of the symlink
as an empty file, which could conceivably have security relevance if the
symlink is attacker-controlled. (If the path is a symlink to a file that
already exists, then the contents of that file correctly remain unchanged.)
(CVE-2021-28153) 

SRPMS:
glib2.0-2.66.8-1.mga8.src.rpm
mingw-glib2-2.66.8-1.mga8.src.rpm


i586:
glib2.0-common-2.66.8-1.mga8.i586.rpm
glib2.0-tests-2.66.8-1.mga8.i586.rpm
glib-gettextize-2.66.8-1.mga8.i586.rpm
libgio2.0_0-2.66.8-1.mga8.i586.rpm
libglib2.0_0-2.66.8-1.mga8.i586.rpm
libglib2.0-devel-2.66.8-1.mga8.i586.rpm
libglib2.0-static-devel-2.66.8-1.mga8.i586.rpm

mingw32-glib2-2.66.8-1.mga8.noarch.rpm
mingw32-glib2-static-2.66.8-1.mga8.noarch.rpm
mingw64-glib2-2.66.8-1.mga8.noarch.rpm
mingw64-glib2-static-2.66.8-1.mga8.noarch.rpm



x86_64:
glib2.0-common-2.66.8-1.mga8.x86_64.rpm
glib2.0-tests-2.66.8-1.mga8.x86_64.rpm
glib-gettextize-2.66.8-1.mga8.x86_64.rpm
lib64gio2.0_0-2.66.8-1.mga8.x86_64.rpm
lib64glib2.0_0-2.66.8-1.mga8.x86_64.rpm
lib64glib2.0-devel-2.66.8-1.mga8.x86_64.rpm
lib64glib2.0-static-devel-2.66.8-1.mga8.x86_64.rpm

mingw32-glib2-2.66.8-1.mga8.noarch.rpm
mingw32-glib2-static-2.66.8-1.mga8.noarch.rpm
mingw64-glib2-2.66.8-1.mga8.noarch.rpm
mingw64-glib2-static-2.66.8-1.mga8.noarch.rpm

David Walser 2021-03-18 20:59:56 CET

Blocks: (none) => 28520

Comment 1 Len Lawrence 2021-03-25 20:14:33 CET

mga8, x64

Working on this:
CVE-2021-28153
https://gitlab.gnome.org/GNOME/glib/-/issues/2325
Downloaded the symlink.tar file.
Checked that there were no old moo files lying about.
Launched caja in the target directory.
Selected symlink.tar then Extract.
This extracted a text file to the target directory with contents "moo" and also created an empty file /tmp/moo.  No sign of a symbolic link though.

Not sure what to make of that.  Upstream uses file-roller but file-roller does not work for me.

Edited /tmp/moo to contain a line of text.
Removed moo from the target directory and ran the exercise again.
$ cat moo
moo
$ cat /tmp/moo
Been here before.

So, no overwrite of existing /tmp file.
Created an empty moo file in /tmp.
$ rm -f moo
$ touch moo
Back to target directory and followed the loop again.
$ rm -f moo
$ caja .
Ran Extract on symlink.tar again.
No change.  Local text file moo appears and /tmp contains an empty moo file.

Still do not know what to make of it.

Shall go ahead with the update but I do not expect anything to change.

CC: (none) => tarazed25

Comment 2 Len Lawrence 2021-03-27 01:28:04 CET

Updated glib2 and minggw64-glib2 packages.

Started with no moo file in target or /tmp directories.  The extraction created a moo file in the target directory, nothing in /tmp.
Repeated the extraction after removing target moo file and creating empty file moo in /tmp.
Again, nothing untoward happened.  /tmp/moo is untouched and there is no symlink.

This represents an improvement over the previous behaviour where an unwanted moo file was created in /tmp.

As said, I am not too sure about these tests but the impression given is that there is no longer a problem.

gedit occurs in the list of applications using glib2.0.  Tried editing a short file.
$ strace -o gedit.trace gedit 
$ grep glib gedit.trace
.....
openat(AT_FDCWD, "/home/lcl/.local/share/glib-2.0/schemas/gschemas.compiled", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libdbus-glib-1.so.2", O_RDONLY|O_CLOEXEC) = 11

$ strace -o im.trace identify Pictures/Vanuata.jpg
...................
$ grep glib im.trace 
openat(AT_FDCWD, "/lib64/libglib-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3

$ strace -o parole.trace parole Transports_du_futur.mp4
$ grep glib parole.trace
openat(AT_FDCWD, "/lib64/libdbus-glib-1.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libglib-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3

All these applications work fine.

Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2021-03-27 15:14:17 CET

Validating. Advisory in Comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2021-03-30 17:00:38 CEST

CC: (none) => ouaurelien
Keywords: (none) => advisory
CVE: (none) => CVE-2021-28153
Source RPM: glib2.0 => glib2.0-2.66.7-1.mga8.src.rpm

Comment 4 Mageia Robot 2021-03-30 22:11:09 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0162.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 5 David Walser 2021-05-28 20:16:31 CEST

Ubuntu has issued an advisory for this on March 15:
https://ubuntu.com/security/notices/USN-4764-1

Comment 6 David Walser 2021-05-29 19:34:11 CEST

Fedora has issued an advisory for this on March 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6RXTD5HCP2K4AAUSWWZTBKQNHRCTAEOF/

Note You need to log in before you can comment on or make changes to this bug.