CVE-2021-28153

Published: 3/11/2021 Last updated: 8/3/2024 Reserved: 3/11/2021

An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)

CNA assigner: mitre (8254265b-2729-46b6-b9e3-3dfca2d5bfca) Requested by: n/a

Opam packages affected (1)

conf-glib-2

Products affected (1)

Product	Vendor	Version
n/a	n/a	43.4

References (12)

https://gitlab.gnome.org/GNOME/glib/-/issues/2325
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6RXTD5HCP2K4AAUSWWZTBKQNHRCTAEOF/
https://security.netapp.com/advisory/ntap-20210416-0003/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUTQPHZNZWX2DZR46QFLQZRHVMHIILJ/
https://security.gentoo.org/glsa/202107-13
https://lists.debian.org/debian-lts-announce/2022/06/msg00006.html
https://gitlab.gnome.org/GNOME/glib/-/issues/2325
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6RXTD5HCP2K4AAUSWWZTBKQNHRCTAEOF/
https://security.netapp.com/advisory/ntap-20210416-0003/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUTQPHZNZWX2DZR46QFLQZRHVMHIILJ/
https://security.gentoo.org/glsa/202107-13
https://lists.debian.org/debian-lts-announce/2022/06/msg00006.html