Package: libglib2.0-0
Version: 2.66.7-1
Severity: important
Tags: security fixed-upstream
Forwarded: https://gitlab.gnome.org/GNOME/glib/-/issues/2325
Control: affects -1 file-roller
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to
replace a path that is a dangling symlink, it incorrectly also creates
the target of the symlink as an empty file, which could conceivably be
security-sensitive if the symlink is attacker-controlled.
This is fixed in the upstream glib-2-66 branch.
Mitigation: creating a non-empty file does not appear to be possible,
and overwriting an existing file via a non-dangling symlink also does
not appear to be possible.
This can affect GNOME's file-roller, and probably other GLib-based
unarchivers, when unpacking an attacker-controlled archive.
I've requested a CVE ID from MITRE.
smcv
