Bug 1938284 (CVE-2021-3800)
Summary: | CVE-2021-3800 glib2: Possible privilege escalation thourgh pkexec and aliases | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | caillon+fedoraproject, erack, erik-fedora, fedora, fidencio, gecko-bugs-nobody, gnome-sig, jhorak, kai-engert-fedora, kaycoth, klember, manisandro, marcandre.lureau, mcatanza, mclasen, pahan, paul, pjasicek, rdieter, rhel8-maint, rh-spice-bugs, rhughes, rjones, rstrode, sandmann, stransky, tiagomatos, tpopela, vmugicag, walters |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | glib2 2.63.6 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-09 19:51:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1946551, 1946555, 1946556, 1946559, 1946560, 1938285, 1938287, 1938288, 1938289, 1938290, 1944740, 1944742, 1944743, 1944744, 1944745, 1944746, 1946549, 1946550, 1946552, 1946553, 1946554, 1946557, 1946558 | ||
Bug Blocks: | 1935348 |
Description
Pedro Sampaio
2021-03-12 17:14:15 UTC
Created firefox tracking bugs for this issue: Affects: fedora-all [bug 1938290] Created glib tracking bugs for this issue: Affects: epel-7 [bug 1938288] Affects: fedora-all [bug 1938287] Created glib2 tracking bugs for this issue: Affects: fedora-all [bug 1938285] Created mingw-glib2 tracking bugs for this issue: Affects: fedora-all [bug 1938289] This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4385 https://access.redhat.com/errata/RHSA-2021:4385 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3800 pkexec is an application used to authorized one user to execute a program as another user and it's not exposed through network, hence Red Hat considers the Attack Vector as local. To a successful attack be executed the attacker needs to set the right charset and be trick the user execute pkexec and as consequence it may leak partial, uncontrolled, contents from privileged files to the attacker. |