Bug#985098: unblock: glib2.0/2.66.7-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#985098: unblock: glib2.0/2.66.7-2
From: Simon McVittie <smcv@debian.org>
Date: Fri, 12 Mar 2021 19:59:36 +0000
Message-id: <[🔎] YEvIKG02UDTOqeuf@momentum.pseudorandom.co.uk>
Reply-to: Simon McVittie <smcv@debian.org>, 985098@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package glib2.0

[ Reason ]
Fix a symlink attack in file-roller (CVE-2021-28153)

[ Impact ]
Unpacking a malicious archive with file-roller (or other users of the
gnome-autoar library) could result in creation of an empty regular file
in an attacker-controlled location. Other code that uses a specific
GLib API call to replace a dangling symlink with a regular file could
be affected similarly.

(This has a CVE ID, but is not *that* serious: arbitrary file overwrite
doesn't seem to be possible.)

[ Tests ]
The proposed patch includes new test coverage, which gets run at build-time
and in the autopkgtests. I also tried the proof-of-concept provided on the
upstream bug, which now fails.

[ Risks ]
This is a key package and a dependency of many high-visibility packages,
but the changes are reasonably straightforward, have test coverage and
have been reviewed.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock glib2.0/2.66.7-2

Reply to:

Follow-Ups:
- Bug#985098: unblock: glib2.0/2.66.7-2
  - From: Simon McVittie <smcv@debian.org>
- Bug#985098: marked as done (unblock: glib2.0/2.66.7-2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#985067: marked as done (unblock: libint/1.2.1-5)
Next by Date: Bug#985096: unblock: systemd/247.3-3
Previous by thread: Bug#985067: marked as done (unblock: libint/1.2.1-5)
Next by thread: Bug#985098: unblock: glib2.0/2.66.7-2
Index(es):
- Date
- Thread