Re: Bug#986001: buster-pu: package glib2.0/2.58.3-2+deb10u3
Control: tags -1 + confirmed d-i
On Sat, 2021-03-27 at 17:21 +0000, Simon McVittie wrote:
> Backport security fixes from testing/unstable. The security team say
> they do not intend to issue a DSA for these.
>
> [ Impact ]
> * CVE-2021-28153: symlink attack allowing an attacker to create an
> empty
> regular file in a location of their choice when a malicious archive
> is
> unpacked with file-roller
> * CVE-2021-27219: integer overflow that can cause at least a crash
> (DoS),
> and maybe code execution, in a setuid program from policykit-1
> * CVE-2021-27218: another integer overflow, not known to be
> exploitable
> * various other integer overflows fixed at the same time as CVE-2021-
> 27219,
> which are not known to be exploitable
>
> Please see
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984969#26 if
> more information is required.
>
> [ Tests ]
> I'm trying the proposed version with normal use on a GNOME laptop and
> some servers. The autopkgtests are fairly extensive, and still pass,
> including new coverage for CVE-2021-28153. The proof-of-concept
> exploits for CVE-2021-27219 and CVE-2021-28153 also now fail.
Apologies for letting this fall through the cracks for a while.
As glib2.0 produces a udeb, this will need a KiBi-ack, so CCing and
tagging appropriately.
Regards,
Adam
Reply to: