Bug#984969: libglib2.0-0: g_file_replace() with G_FILE_CREATE_REPLACE_DESTINATION creates empty target for dangling symlink
Simon McVittie
smcv at debian.org
Thu Mar 11 10:40:11 GMT 2021
Package: libglib2.0-0
Version: 2.66.7-1
Severity: important
Tags: security fixed-upstream
Forwarded: https://gitlab.gnome.org/GNOME/glib/-/issues/2325
Control: affects -1 file-roller
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to
replace a path that is a dangling symlink, it incorrectly also creates
the target of the symlink as an empty file, which could conceivably be
security-sensitive if the symlink is attacker-controlled.
This is fixed in the upstream glib-2-66 branch.
Mitigation: creating a non-empty file does not appear to be possible,
and overwriting an existing file via a non-dangling symlink also does
not appear to be possible.
This can affect GNOME's file-roller, and probably other GLib-based
unarchivers, when unpacking an attacker-controlled archive.
I've requested a CVE ID from MITRE.
smcv
More information about the pkg-gnome-maintainers
mailing list