Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!Close

CVE-2021-28153

Published: 11 March 2021

An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)

Priority

Medium

Cvss 3 Severity Score

5.3

Score breakdown

Status

Package Release Status
glib2.0
Launchpad, Ubuntu, Debian
impish Not vulnerable
(2.68.0-1)
jammy Not vulnerable
(2.68.0-1)
lunar Not vulnerable
(2.68.0-1)
bionic
Released (2.56.4-0ubuntu0.18.04.8)
focal
Released (2.64.6-1~ubuntu20.04.3)
groovy
Released (2.66.1-2ubuntu0.2)
trusty Needed

upstream
Released (2.67.6)
xenial
Released (2.48.2-0ubuntu4.8)
hirsute Not vulnerable
(2.68.0-1)
kinetic Not vulnerable
(2.68.0-1)
mantic Not vulnerable
(2.68.0-1)
Patches:
upstream: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1981 (master)
upstream: https://gitlab.gnome.org/GNOME/glib/-/commit/c80528f17ba25ea7d7089946926b93a98bd1479e (master)
upstream: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1982 (2.66)
upstream: https://gitlab.gnome.org/GNOME/glib/-/commit/01c5468e10707cbf78e6e83bbcf1ce9c866f2885 (2.66)

Severity score breakdown

Parameter Value
Base score 5.3
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N