Control: tags -1 + confirmed d-i On Sat, 2021-03-27 at 17:21 +0000, Simon McVittie wrote: > Backport security fixes from testing/unstable. The security team say > they do not intend to issue a DSA for these. > > [ Impact ] > * CVE-2021-28153: symlink attack allowing an attacker to create an > empty > regular file in a location of their choice when a malicious archive > is > unpacked with file-roller > * CVE-2021-27219: integer overflow that can cause at least a crash > (DoS), > and maybe code execution, in a setuid program from policykit-1 > * CVE-2021-27218: another integer overflow, not known to be > exploitable > * various other integer overflows fixed at the same time as CVE-2021- > 27219, > which are not known to be exploitable > > Please see > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984969#26 if > more information is required. > > [ Tests ] > I'm trying the proposed version with normal use on a GNOME laptop and > some servers. The autopkgtests are fairly extensive, and still pass, > including new coverage for CVE-2021-28153. The proof-of-concept > exploits for CVE-2021-27219 and CVE-2021-28153 also now fail.
Apologies for letting this fall through the cracks for a while. As glib2.0 produces a udeb, this will need a KiBi-ack, so CCing and tagging appropriately. Regards, Adam
