Bug 1938284 (CVE-2021-3800)

Summary: CVE-2021-3800 glib2: Possible privilege escalation thourgh pkexec and aliases
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: caillon+fedoraproject, erack, erik-fedora, fedora, fidencio, gecko-bugs-nobody, gnome-sig, jhorak, kai-engert-fedora, kaycoth, klember, manisandro, marcandre.lureau, mcatanza, mclasen, pahan, paul, pjasicek, rdieter, rhel8-maint, rh-spice-bugs, rhughes, rjones, rstrode, sandmann, stransky, tiagomatos, tpopela, vmugicag, walters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: glib2 2.63.6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 19:51:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1946551, 1946555, 1946556, 1946559, 1946560, 1938285, 1938287, 1938288, 1938289, 1938290, 1944740, 1944742, 1944743, 1944744, 1944745, 1944746, 1946549, 1946550, 1946552, 1946553, 1946554, 1946557, 1946558    
Bug Blocks: 1935348    

Description Pedro Sampaio 2021-03-12 17:14:15 UTC 
A flaw was found in glib before version 2.63.6. Due to random charset alias, pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition.

Upstream patch:

https://gitlab.gnome.org/GNOME/glib/commit/3529bb4450a51995

References:

https://www.openwall.com/lists/oss-security/2017/06/23/8
Comment 1 Pedro Sampaio 2021-03-12 17:15:41 UTC 
Created firefox tracking bugs for this issue:

Affects: fedora-all [bug 1938290]


Created glib tracking bugs for this issue:

Affects: epel-7 [bug 1938288]
Affects: fedora-all [bug 1938287]


Created glib2 tracking bugs for this issue:

Affects: fedora-all [bug 1938285]


Created mingw-glib2 tracking bugs for this issue:

Affects: fedora-all [bug 1938289]
Comment 6 errata-xmlrpc 2021-11-09 18:32:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4385 https://access.redhat.com/errata/RHSA-2021:4385
Comment 7 Product Security DevOps Team 2021-11-09 19:51:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3800
Comment 8 Marco Benatto 2023-04-06 21:02:59 UTC 
pkexec is an application used to authorized one user to execute a program as another user and it's not exposed through network, hence Red Hat considers the Attack Vector as local. To a successful attack be executed the attacker needs to set the right charset and be trick the user execute pkexec and as consequence it may leak partial, uncontrolled, contents from privileged files to the attacker.