[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#986001: buster-pu: package glib2.0/2.58.3-2+deb10u3

Control: tags -1 + confirmed d-i

On Sat, 2021-03-27 at 17:21 +0000, Simon McVittie wrote:
> Backport security fixes from testing/unstable. The security team say
> they do not intend to issue a DSA for these.
> [ Impact ]
> * CVE-2021-28153: symlink attack allowing an attacker to create an
> empty
>   regular file in a location of their choice when a malicious archive
> is
>   unpacked with file-roller
> * CVE-2021-27219: integer overflow that can cause at least a crash
> (DoS),
>   and maybe code execution, in a setuid program from policykit-1
> * CVE-2021-27218: another integer overflow, not known to be
> exploitable
> * various other integer overflows fixed at the same time as CVE-2021-
> 27219,
>   which are not known to be exploitable
> Please see 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984969#26 if
> more information is required.
> [ Tests ]
> I'm trying the proposed version with normal use on a GNOME laptop and
> some servers. The autopkgtests are fairly extensive, and still pass,
> including new coverage for CVE-2021-28153. The proof-of-concept
> exploits for CVE-2021-27219 and CVE-2021-28153 also now fail.

Apologies for letting this fall through the cracks for a while.

As glib2.0 produces a udeb, this will need a KiBi-ack, so CCing and
tagging appropriately.



Reply to: