Bug 2342463 (CVE-2024-45339) - CVE-2024-45339 github.com/golang/glog: Vulnerability when creating log files in github.com/golang/glog
Summary: CVE-2024-45339 github.com/golang/glog: Vulnerability when creating log files ...
Keywords:
Status: NEW
Alias: CVE-2024-45339
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2342517 2342518 2342519 2342520 2342521 2342522 2342523 2342524 2342525 2342526 2342527 2342528 2342529 2342530 2342531 2342532 2342533 2342534 2342535 2342536
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-01-28 02:01 UTC by OSIDB Bzimport
Modified: 2025-01-28 18:35 UTC (History)
56 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-01-28 02:01:13 UTC 
When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.
Note You need to log in before you can comment on or make changes to this bug.