Bug#985098: unblock: glib2.0/2.66.7-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package glib2.0
[ Reason ]
Fix a symlink attack in file-roller (CVE-2021-28153)
[ Impact ]
Unpacking a malicious archive with file-roller (or other users of the
gnome-autoar library) could result in creation of an empty regular file
in an attacker-controlled location. Other code that uses a specific
GLib API call to replace a dangling symlink with a regular file could
be affected similarly.
(This has a CVE ID, but is not *that* serious: arbitrary file overwrite
doesn't seem to be possible.)
[ Tests ]
The proposed patch includes new test coverage, which gets run at build-time
and in the autopkgtests. I also tried the proof-of-concept provided on the
upstream bug, which now fails.
[ Risks ]
This is a key package and a dependency of many high-visibility packages,
but the changes are reasonably straightforward, have test coverage and
have been reviewed.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock glib2.0/2.66.7-2
Reply to: