From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id eTGQElqySmDFbwAA0tVLHw
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 12 Mar 2021 00:14:18 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id 2DLxDVqySmBiegAAB5/wlQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 12 Mar 2021 00:14:18 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id E4B892677D
	for <larch@yhetil.org>; Fri, 12 Mar 2021 01:14:17 +0100 (CET)
Received: from localhost ([::1]:34066 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1lKVRZ-0003Rq-4i
	for larch@yhetil.org; Thu, 11 Mar 2021 19:14:17 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:44026)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lKVRP-0003R5-JC
 for guix-devel@gnu.org; Thu, 11 Mar 2021 19:14:07 -0500
Received: from mail.zaclys.net ([178.33.93.72]:53341)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lKVRN-00023w-2W
 for guix-devel@gnu.org; Thu, 11 Mar 2021 19:14:07 -0500
Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38])
 (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12C0E1Xt007546
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Fri, 12 Mar 2021 01:14:01 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12C0E1Xt007546
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1615508041;
 bh=0qMMcHjCdzTmDnruz9tj3NoY/IYLWGuRrHn2iQPK/U0=;
 h=Subject:From:To:Cc:Date:From;
 b=Q+qTdPazdKvyktbp3xfnPgN85octXjqfxHdrj8ieT5dW+G8wyWLGVXuQLaeMRxmbi
 0EWCiucu9jrMGAhcapjaK9ezfWAMBV4XiVoVIGax3HFtgIGlrPjXih4PMYvVTlW8JS
 N3Es+yVbwD3Xxqqa+waZdc4IpodDT6J1Vquw4wuE=
Message-ID: <06afa3e1bb17c67da1c41716537a8e202481066c.camel@zaclys.net>
Subject: glib vulnerable to CVE-2021-28153
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@zaclys.net>
To: Mark H Weaver <mhw@netris.org>
Cc: guix-devel@gnu.org
Date: Fri, 12 Mar 2021 01:13:56 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-FkYpbwJd+NyvU3+4UikN"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1615508058;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=0qMMcHjCdzTmDnruz9tj3NoY/IYLWGuRrHn2iQPK/U0=;
	b=P7M+oJigRZ9LXQDGU/PfQXAMA6hJ0OyGa8Jm3kOChOwvlloSbJtWxOrnvBa7G2xP1tioVo
	gAktbNkdb3R/nmCeQtF7tJR/5yWGwqOyBzcnX0W0QPd7KA8o+o6rAmkNkeoM9o6b1gTdZl
	bzQYqVG20VO3+1wrJJd/a4HCJVAOyGEVULk2ajGwCwzg52BfjF3GXZiF8bfpLI3LG9pC5+
	oVzVUvPkbLiVKQSSlUSkBgRXi3zBzREEpwglhyu31RemP4yuzDg4RZJ0fIIX3XFbZNSXgk
	zVy/uuBIZgct83YNUPTpXlORSBp6F42wroSDPaYxt/vGSclnU8i0a41S0laGqQ==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615508058; a=rsa-sha256; cv=none;
	b=Gf9WiPeQYvYDCxsCCGsk24av0EcN1X4FHQJCuzbVfGh1mdHW7x+cw9PWcijIhBedxSr+LN
	Qe6SF8AQ28aNlKg6JbRZnP1bUAuliB8BXZ07vM0IQWyRsqiptAbxdNaaHbFE/44TxDhb2J
	ohsbxl55q0kXQ5Gkcan/xsrRFt+j7ul4KgDYO7yJkIJcECCZ+AzrLfA51UwOlnSIJiM+yo
	NgIrvICAxWeQX6bZ7+hdJ4fzvg1MKdvp1hyM4gwvjqWqbXom7e9GP+eIYwH7poxKSrh0vC
	6HraaWO6XFarM88iaYSQY+XF3xcSUhO9nd8mNxjNfcQ3OkDxSpuSHBNJLLCiCQ==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=zaclys.net header.s=default header.b=Q+qTdPaz;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Spam-Score: -5.19
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=zaclys.net header.s=default header.b=Q+qTdPaz;
	dmarc=pass (policy=reject) header.from=zaclys.net;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Queue-Id: E4B892677D
X-Spam-Score: -5.19
X-Migadu-Scanner: scn0.migadu.com
X-TUID: 6fBy1Efarlrf


--=-FkYpbwJd+NyvU3+4UikN
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello!

CVE-2021-28153	11.03.21 23:15
An issue was discovered in GNOME GLib before 2.66.8. When
g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to
replace a path that is a dangling symlink, it incorrectly also creates
the target of the symlink as an empty file, which could conceivably
have security relevance if the symlink is attacker-controlled. (If the
path is a symlink to a file that already exists, then the contents of
that file correctly remain unchanged.)

Another CVE just out,

See: https://gitlab.gnome.org/GNOME/glib/-/issues/2325

We need to backport another patch again it seems?

Thank you,
L=C3=A9o

--=-FkYpbwJd+NyvU3+4UikN
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBKskQACgkQRaix6GvN
EKYxFA//S7vT4rBPNTa5U8zOGTFdu1V+4Ii3/lYCmexsAlW0u8SSxQ9EYFjjsdM3
Pb8OaYn4TUV4DH/AoBWwVUibQBfd68pGNUITmEoizBifI4EPzB8AH/aUp9po2WOl
o7hTxN2jfV9KOkrbJja7ydH8iaSYmZroOsZy4lOcTLIuFJ+XWj8xo6zFjTY9Mjci
LAs8t/OZq6rd7xX5l+5HALMshHHWkW3iuwJ2sNokt6i3P8iXqOk8/+VjcWvUNcPD
s6RT3D6CevnT7VAU+rYXbGxUdqhVep4JXF1/gY0GC3/UdBmniEnh+KxneWkIEVtb
A5JrZkVPFEa8DwtwUmfHoLbObdWn6eefXbg47mquligQOa91qz1zFpIc6uuHnZNk
e1fY2MUsqzQX7lR4tlL0gTj3dzaUKf3jucE9t4D9d5ar4FaClcVNB1+1Z/TDjw3X
w1bB5PGRzwe7fUlPGV1sySgRUcP35CaBqUfp9rXzzwTXHYyHohi5e1AIJiN8+izZ
d5Jep7mjyS46+UNOmA0SEplu1GlhLZJLfZJBXrWiac+Q4dfVffIa4/1/j1OdJovm
pC5QggrZkK7YQqKIEMhH2KB3InSaHUA81rjTQPrtdkEO73HZExMtqgwSPY0WqVam
nX+fhwdshnEZ8RLcsTZJaOaHI/ICMWu80Xy4t/b/YHJY7O9Q+PM=
=A7It
-----END PGP SIGNATURE-----

--=-FkYpbwJd+NyvU3+4UikN--