Bug 1938291 (CVE-2021-28153)

Summary: CVE-2021-28153 glib: g_file_replace() with G_FILE_CREATE_REPLACE_DESTINATION creates empty target for dangling symlink
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: caillon+fedoraproject, erack, erik-fedora, fedora, fidencio, gnome-sig, jhorak, kaycoth, klember, manisandro, marcandre.lureau, mcatanza, mclasen, mdean, nobody, pahan, paul, rdieter, rhel8-maint, rh-spice-bugs, rhughes, rjones, rstrode, sandmann, stransky, tiagomatos, tpopela, vmugicag, walters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: glib 2.67.6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 19:52:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1938292, 1938293, 1938294, 1938295, 1939116, 1939117, 1939118, 1939119, 1939120    
Bug Blocks: 1938296    

Description Guilherme de Almeida Suckevicz 2021-03-12 17:21:58 UTC 
An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)

References:
https://gitlab.gnome.org/GNOME/glib/-/issues/2325
Comment 1 Guilherme de Almeida Suckevicz 2021-03-12 17:22:34 UTC 
Created glib tracking bugs for this issue:

Affects: epel-7 [bug 1938293]
Affects: fedora-all [bug 1938292]


Created glib2 tracking bugs for this issue:

Affects: fedora-all [bug 1938294]


Created mingw-glib2 tracking bugs for this issue:

Affects: fedora-all [bug 1938295]
Comment 2 Riccardo Schirone 2021-03-15 16:28:16 UTC 
Upstream patches:
https://gitlab.gnome.org/GNOME/glib/-/commit/c80528f17ba25ea7d7089946926b93a98bd1479e [2.67.x]
https://gitlab.gnome.org/GNOME/glib/-/commit/01c5468e10707cbf78e6e83bbcf1ce9c866f2885 [2.66.x]
Comment 4 juneau 2021-03-22 15:04:18 UTC 
Marking all Hosted* as "notaffected" as this appears to be limited to GNOME which is not present.
Comment 6 errata-xmlrpc 2021-11-09 18:32:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4385 https://access.redhat.com/errata/RHSA-2021:4385
Comment 7 Product Security DevOps Team 2021-11-09 19:52:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-28153
Comment 8 errata-xmlrpc 2022-11-15 11:09:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8418 https://access.redhat.com/errata/RHSA-2022:8418