CVE-2021-28153

Name
CVE-2021-28153
Description
An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Exploit https://gitlab.gnome.org/GNOME/glib/-/issues/2325
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6RXTD5HCP2K4AAUSWWZTBKQNHRCTAEOF/
CONFIRM https://security.netapp.com/advisory/ntap-20210416-0003/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUTQPHZNZWX2DZR46QFLQZRHVMHIILJ/
GENTOO https://security.gentoo.org/glsa/202107-13

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:gnome:glib:*:*:*:*:*:*:*:* glib >= None < 2.66.8

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
glib 3.12-main 2.64.6-r0 Rasmus Thomsen <oss@cogitri.dev> possibly vulnerable
glib 3.11-main 2.62.6-r0 Rasmus Thomsen <oss@cogitri.dev> possibly vulnerable
glib 3.10-main 2.60.4-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable