An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink it incorrectly also creates the target of the symlink as an empty file which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists then the contents of that file correctly remain unchanged.)

🗓️ 23 Mar 2021 07:00:00Reported by MicrosoftType

mscve

mscve🔗 msrc.microsoft.com👁 3 Views

GNOME GLib before 2.66.8: g_file_replace on a dangling symlink creates an empty target file.

Reporter	Title	Published	Views	Family All 153
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities fixed in Cloud Pak for Automation components	19 Jan 202216:26	–	ibm
IBM Security Bulletins	Security Bulletin: Cloud Pak for Security uses packages that are vulnerable to multiple CVEs	29 Apr 202502:13	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities	19 Jan 202313:54	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar SIEM is vulnerable to using components with Known Vulnerabilities	25 Apr 202214:44	–	ibm
Tenable Nessus	Amazon Linux 2 : glib2 (ALAS-2024-2487)	5 Mar 202400:00	–	nessus
Tenable Nessus	Amazon Linux AMI : glib2 (ALAS-2023-1742)	4 May 202300:00	–	nessus
Tenable Nessus	AlmaLinux 8 : glib2 (ALSA-2021:4385)	9 Feb 202200:00	–	nessus
Tenable Nessus	AlmaLinux 9 : mingw-glib2 (ALSA-2022:8418)	19 Nov 202200:00	–	nessus
Tenable Nessus	CentOS 8 : glib2 (CESA-2021:4385)	11 Nov 202100:00	–	nessus
Tenable Nessus	Debian DLA-3044-1 : glib2.0 - LTS security update	6 Jun 202200:00	–	nessus

Vulners

Node

microsoft cbl2_glib_2.60.1-5Range<2.60.1-5

16 Dec 2021 08:00Current

9.2High risk

Vulners AI Score9.2

CVSS 25

CVSS 3.15.3

EPSS0.00728

gnome glib bug dangling symlink g_file_replace empty target file security risk