Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package glib2.0 [ Reason ] Fix a symlink attack in file-roller (CVE-2021-28153) [ Impact ] Unpacking a malicious archive with file-roller (or other users of the gnome-autoar library) could result in creation of an empty regular file in an attacker-controlled location. Other code that uses a specific GLib API call to replace a dangling symlink with a regular file could be affected similarly. (This has a CVE ID, but is not *that* serious: arbitrary file overwrite doesn't seem to be possible.) [ Tests ] The proposed patch includes new test coverage, which gets run at build-time and in the autopkgtests. I also tried the proof-of-concept provided on the upstream bug, which now fails. [ Risks ] This is a key package and a dependency of many high-visibility packages, but the changes are reasonably straightforward, have test coverage and have been reviewed. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock glib2.0/2.66.7-2