PT-2021-5823 · Gnome+9 · Gnome Glib+9

Published

2021-03-10

·

Updated

2024-02-27

·

CVE-2021-28153

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions GNOME GLib versions prior to 2.66.8
Description An issue was discovered in GNOME GLib when the g file replace() function is used with G FILE CREATE REPLACE DESTINATION to replace a path that is a dangling symlink. It incorrectly creates the target of the symlink as an empty file, which could have security relevance if the symlink is attacker-controlled. If the path is a symlink to a file that already exists, the contents of that file remain unchanged. The vulnerability may allow a remote attacker to impact data integrity without requiring root privileges.
Recommendations For GNOME GLib versions prior to 2.66.8, update to version 2.66.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of the g file replace() function with G FILE CREATE REPLACE DESTINATION when handling dangling symlinks to minimize the risk of exploitation.

Exploit

Fix

Link Following

Weakness Enumeration

CWE-59

Related Identifiers

ALSA-2021:4385
ALSA-2022:8418
ALT-PU-2021-1517
AZL-6439
BDU:2022-00320
CESA-2021_4385
CVE-2021-28153
DLA-3044-1
MGASA-2021-0162
MGASA-2021-0318
OESA-2021-1164
OPENSUSE-SU-2022_1455-1
OPENSUSE-SU-2023_0174-1
RHSA-2021:4385
RHSA-2021_4385
RHSA-2022:8418
RHSA-2022_8418
RLSA-2021:4385
SUSE-SU-2022:1455-1
SUSE-SU-2022:1455-2
SUSE-SU-2022:1758-1
SUSE-SU-2022:1758-2
SUSE-SU-2022_1455-1
SUSE-SU-2022_1455-2
SUSE-SU-2022_1758-1
SUSE-SU-2022_1758-2
SUSE-SU-2023:0174-1
SUSE-SU-2023:3535-1
SUSE-SU-2023_0174-1
SUSE-SU-2023_3535-1
USN-4764-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Gnome Glib
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu