!33 fix CVE-2021-28153

From: @shirely16 Reviewed-by: @jinzhimin369,@jinzhimin369,@yanan-rock Signed-off-by: @yanan-rock
2021-04-13 15:52:35 +08:00 · 2021-04-13 15:52:35 +08:00 · e6e2aad444
commit e6e2aad444
parent bddd19278b d70445e8fd
7 changed files with 497 additions and 1 deletions
--- a/backport-0001-CVE-2021-28153.patch
+++ b/backport-0001-CVE-2021-28153.patch
@ -0,0 +1,28 @@
 From 78420a75aeb70569a8cd79fa0fea7b786b6f785f Mon Sep 17 00:00:00 2001
 From: Philip Withnall <pwithnall@endlessos.org>
 Date: Wed, 24 Feb 2021 17:33:38 +0000
 Subject: [PATCH 1/5] glocalfileoutputstream: Fix a typo in a comment
 Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
 Conflict:NA
 Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/01c5468e10707cbf78e6e83bbcf1ce9c866f2885
 ---
 gio/glocalfileoutputstream.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c
 index f34c3e439..e3d31d6b3 100644
 --- a/gio/glocalfileoutputstream.c
 +++ b/gio/glocalfileoutputstream.c
@@ -854,7 +854,7 @@ handle_overwrite_open (const char    *filename,
   mode = mode_from_flags_or_info (flags, reference_info);
   /* We only need read access to the original file if we are creating a backup.
 -   * We also add O_CREATE to avoid a race if the file was just removed */
 +   * We also add O_CREAT to avoid a race if the file was just removed */
   if (create_backup || readable)
     open_flags = O_RDWR | O_CREAT | O_BINARY;
   else
 -- 
 GitLab
--- a/backport-0002-CVE-2021-28153.patch
+++ b/backport-0002-CVE-2021-28153.patch
@ -0,0 +1,43 @@
 From 32d3d02a50e7dcec5f4cf7908e7ac88d575d8fc5 Mon Sep 17 00:00:00 2001
 From: Philip Withnall <pwithnall@endlessos.org>
 Date: Wed, 24 Feb 2021 17:34:32 +0000
 Subject: [PATCH 2/5] tests: Stop using g_test_bug_base() in file tests
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Since a following commit is going to add a new test which references
 Gitlab, so it鈥檚 best to move the URI bases inside the test cases.
 Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
 Conflict:NA
 Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/01c5468e10707cbf78e6e83bbcf1ce9c866f2885
 ---
 gio/tests/file.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)
 diff --git a/gio/tests/file.c b/gio/tests/file.c
 index d8769656c..39d51dadb 100644
 --- a/gio/tests/file.c
 +++ b/gio/tests/file.c
@@ -686,7 +686,7 @@ test_replace_cancel (void)
   guint count;
   GError *error = NULL;
 -  g_test_bug ("629301");
 +  g_test_bug ("https://bugzilla.gnome.org/629301");
   path = g_dir_make_tmp ("g_file_replace_cancel_XXXXXX", &error);
   g_assert_no_error (error);
@@ -1785,8 +1785,6 @@ main (int argc, char *argv[])
 {
   g_test_init (&argc, &argv, NULL);
 -  g_test_bug_base ("http://bugzilla.gnome.org/");
 -
   g_test_add_func ("/file/basic", test_basic);
   g_test_add_func ("/file/build-filename", test_build_filename);
   g_test_add_func ("/file/parent", test_parent);
 -- 
 GitLab
--- a/backport-0003-CVE-2021-28153.patch
+++ b/backport-0003-CVE-2021-28153.patch
@ -0,0 +1,59 @@
 From ce0eb088a68171eed3ac217cb92a72e36eb57d1b Mon Sep 17 00:00:00 2001
 From: Philip Withnall <pwithnall@endlessos.org>
 Date: Wed, 10 Mar 2021 16:05:55 +0000
 Subject: [PATCH 3/5] glocalfileoutputstream: Factor out a flag check
 This clarifies the code a little. It introduces no functional changes.
 Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
 Conflict:NA
 Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/01c5468e10707cbf78e6e83bbcf1ce9c866f2885
 ---
 gio/glocalfileoutputstream.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)
 diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c
 index beb8fee..8b087f7 100644
 --- a/gio/glocalfileoutputstream.c
 +++ b/gio/glocalfileoutputstream.c
@@ -847,6 +847,7 @@ handle_overwrite_open (const char    *filename,
   int res;
   int mode;
   int errsv;
 +  gboolean replace_destination_set = (flags & G_FILE_CREATE_REPLACE_DESTINATION);
   mode = mode_from_flags_or_info (flags, reference_info);
@@ -953,8 +954,8 @@ handle_overwrite_open (const char    *filename,
    * The second strategy consist simply in copying the old file
    * to a backup file and rewrite the contents of the file.
    */
 -  
 -  if ((flags & G_FILE_CREATE_REPLACE_DESTINATION) ||
 + 
 +   if (replace_destination_set || 
       (!(original_stat.st_nlink > 1) && !is_symlink))
     {
       char *dirname, *tmp_filename;
@@ -973,7 +974,7 @@ handle_overwrite_open (const char    *filename,
       /* try to keep permissions (unless replacing) */
 -      if ( ! (flags & G_FILE_CREATE_REPLACE_DESTINATION) &&
 +      if (!replace_destination_set &&
 	   (
 #ifdef HAVE_FCHOWN
 	    fchown (tmpfd, original_stat.st_uid, original_stat.st_gid) == -1 ||
@@ -1112,7 +1113,7 @@ handle_overwrite_open (const char    *filename,
 	}
     }
 -  if (flags & G_FILE_CREATE_REPLACE_DESTINATION)
 +  if (replace_destination_set)
     {
       g_close (fd, NULL);
 -- 
 2.23.0
--- a/backport-0004-CVE-2021-28153.patch
+++ b/backport-0004-CVE-2021-28153.patch
@ -0,0 +1,283 @@
 From 317b3b587058a05dca95d56dac26568c5b098d33 Mon Sep 17 00:00:00 2001
 From: Philip Withnall <pwithnall@endlessos.org>
 Date: Wed, 24 Feb 2021 17:36:07 +0000
 Subject: [PATCH 4/5] glocalfileoutputstream: Fix CREATE_REPLACE_DESTINATION
 with symlinks
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The `G_FILE_CREATE_REPLACE_DESTINATION` flag is equivalent to unlinking
 the destination file and re-creating it from scratch. That did
 previously work, but in the process the code would call `open(O_CREAT)`
 on the file. If the file was a dangling symlink, this would create the
 destination file (empty). That鈥檚 not an intended side-effect, and has
 security implications if the symlink is controlled by a lower-privileged
 process.
 Fix that by not opening the destination file if it鈥檚 a symlink, and
 adjusting the rest of the code to cope with
 - the fact that `fd == -1` is not an error iff `is_symlink` is true,
 - and that `original_stat` will contain the `lstat()` results for the
   symlink now, rather than the `stat()` results for its target (again,
   iff `is_symlink` is true).
 This means that the target of the dangling symlink is no longer created,
 which was the bug. The symlink itself continues to be replaced (as
 before) with the new file 鈥<> this is the intended behaviour of
 `g_file_replace()`.
 The behaviour for non-symlink cases, or cases where the symlink was not
 dangling, should be unchanged.
 Includes a unit test.
 Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
 Fixes: #2325
 Conflict:NA
 Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/01c5468e10707cbf78e6e83bbcf1ce9c866f2885
 ---
 gio/glocalfileoutputstream.c |  65 +++++++++++++++------
 gio/tests/file.c             | 108 +++++++++++++++++++++++++++++++++++
 2 files changed, 156 insertions(+), 17 deletions(-)
 diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c
 index 8b087f7..e6edb5e 100644
 --- a/gio/glocalfileoutputstream.c
 +++ b/gio/glocalfileoutputstream.c
@@ -875,16 +875,22 @@ handle_overwrite_open (const char    *filename,
       /* Could be a symlink, or it could be a regular ELOOP error,
        * but then the next open will fail too. */
       is_symlink = TRUE;
 -      fd = g_open (filename, open_flags, mode);
 +      if (!replace_destination_set)
 +        fd = g_open (filename, open_flags, mode);
     }
 -#else
 -  fd = g_open (filename, open_flags, mode);
 -  errsv = errno;
 +#else  /* if !O_NOFOLLOW */
   /* This is racy, but we do it as soon as possible to minimize the race */
   is_symlink = g_file_test (filename, G_FILE_TEST_IS_SYMLINK);
 +
 +  if (!is_symlink || !replace_destination_set)
 +    {
 +      fd = g_open (filename, open_flags, mode);
 +      errsv = errno;
 +    }
 #endif
 -  if (fd == -1)
 +  if (fd == -1 &&
 +      (!is_symlink || !replace_destination_set))
     {
       char *display_name = g_filename_display_name (filename);
       g_set_error (error, G_IO_ERROR,
@@ -894,13 +900,26 @@ handle_overwrite_open (const char    *filename,
       g_free (display_name);
       return -1;
     }
 -  
 +
 +  if (!is_symlink)
 +    {  
 #ifdef G_OS_WIN32
 -  res = GLIB_PRIVATE_CALL (g_win32_fstat) (fd, &original_stat);
 +      res = GLIB_PRIVATE_CALL (g_win32_fstat) (fd, &original_stat);
 #else
 -  res = fstat (fd, &original_stat);
 +      res = fstat (fd, &original_stat);
 #endif
 -  errsv = errno;
 +      errsv = errno;
 +    }
 +  else
 +    {
 +#ifdef G_OS_WIN32
 +       res = GLIB_PRIVATE_CALL (g_win32_fstat) (filename, &original_stat);
 +#else
 +       res = fstat (filename, &original_stat);
 +#endif
 +       errsv = errno;
 +     }
 +
   if (res != 0)
     {
@@ -917,16 +936,27 @@ handle_overwrite_open (const char    *filename,
   if (!S_ISREG (original_stat.st_mode))
     {
       if (S_ISDIR (original_stat.st_mode))
 -	g_set_error_literal (error,
 -                             G_IO_ERROR,
 -                             G_IO_ERROR_IS_DIRECTORY,
 -                             _("Target file is a directory"));
 -      else
 -	g_set_error_literal (error,
 +        {
 +          g_set_error_literal (error,
 +                               G_IO_ERROR,
 +                               G_IO_ERROR_IS_DIRECTORY,
 +                               _("Target file is a directory"));
 +          goto err_out;
 +        }
 +      else if (!is_symlink ||
 +#ifdef S_ISLNK
 +               !S_ISLNK (original_stat.st_mode)
 +#else
 +               FALSE
 +#endif
 +               )
 +        {
 +          g_set_error_literal (error,
                              G_IO_ERROR,
                              G_IO_ERROR_NOT_REGULAR_FILE,
                              _("Target file is not a regular file"));
 -      goto err_out;
 +          goto err_out;
 +        }
     }
   if (etag != NULL)
@@ -1007,7 +1037,8 @@ handle_overwrite_open (const char    *filename,
 	    }
 	}
 -      g_close (fd, NULL);
 +      if (fd >= 0)
 +        g_close (fd, NULL);
       *temp_filename = tmp_filename;
       return tmpfd;
     }
 diff --git a/gio/tests/file.c b/gio/tests/file.c
 index d51ac6d..51b665f 100644
 --- a/gio/tests/file.c
 +++ b/gio/tests/file.c
@@ -804,6 +804,113 @@ test_replace_cancel (void)
   g_object_unref (tmpdir);
 }
 +static void
 +test_replace_symlink (void)
 +{
 +#ifdef G_OS_UNIX
 +  gchar *tmpdir_path = NULL;
 +  GFile *tmpdir = NULL, *source_file = NULL, *target_file = NULL;
 +  GFileOutputStream *stream = NULL;
 +  const gchar *new_contents = "this is a test message which should be written to source and not target";
 +  gsize n_written;
 +  GFileEnumerator *enumerator = NULL;
 +  GFileInfo *info = NULL;
 +  gchar *contents = NULL;
 +  gsize length = 0;
 +  GError *local_error = NULL;
 +
 +  g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/2325");
 +  g_test_summary ("Test that G_FILE_CREATE_REPLACE_DESTINATION doesn’t follow symlinks");
 +
 +  /* Create a fresh, empty working directory. */
 +  tmpdir_path = g_dir_make_tmp ("g_file_replace_symlink_XXXXXX", &local_error);
 +  g_assert_no_error (local_error);
 +  tmpdir = g_file_new_for_path (tmpdir_path);
 +
 +  g_test_message ("Using temporary directory %s", tmpdir_path);
 +  g_free (tmpdir_path);
 +
 +  /* Create symlink `source` which points to `target`. */
 +  source_file = g_file_get_child (tmpdir, "source");
 +  target_file = g_file_get_child (tmpdir, "target");
 +  g_file_make_symbolic_link (source_file, "target", NULL, &local_error);
 +  g_assert_no_error (local_error);
 +
 +  /* Ensure that `target` doesn’t exist */
 +  g_assert_false (g_file_query_exists (target_file, NULL));
 +
 +  /* Replace the `source` symlink with a regular file using
 +   * %G_FILE_CREATE_REPLACE_DESTINATION, which should replace it *without*
 +   * following the symlink */
 +  stream = g_file_replace (source_file, NULL, FALSE  /* no backup */,
 +                           G_FILE_CREATE_REPLACE_DESTINATION, NULL, &local_error);
 +  g_assert_no_error (local_error);
 +
 +  g_output_stream_write_all (G_OUTPUT_STREAM (stream), new_contents, strlen (new_contents),
 +                             &n_written, NULL, &local_error);
 +  g_assert_no_error (local_error);
 +  g_assert_cmpint (n_written, ==, strlen (new_contents));
 +
 +  g_output_stream_close (G_OUTPUT_STREAM (stream), NULL, &local_error);
 +  g_assert_no_error (local_error);
 +
 +  g_clear_object (&stream);
 +
 +  /* At this point, there should still only be one file: `source`. It should
 +   * now be a regular file. `target` should not exist. */
 +  enumerator = g_file_enumerate_children (tmpdir,
 +                                          G_FILE_ATTRIBUTE_STANDARD_NAME ","
 +                                          G_FILE_ATTRIBUTE_STANDARD_TYPE,
 +                                          G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, NULL, &local_error);
 +  g_assert_no_error (local_error);
 +
 +  info = g_file_enumerator_next_file (enumerator, NULL, &local_error);
 +  g_assert_no_error (local_error);
 +  g_assert_nonnull (info);
 +
 +  g_assert_cmpstr (g_file_info_get_name (info), ==, "source");
 +  g_assert_cmpint (g_file_info_get_file_type (info), ==, G_FILE_TYPE_REGULAR);
 +
 +  g_clear_object (&info);
 +
 +  info = g_file_enumerator_next_file (enumerator, NULL, &local_error);
 +  g_assert_no_error (local_error);
 +  g_assert_null (info);
 +
 +  g_file_enumerator_close (enumerator, NULL, &local_error);
 +  g_assert_no_error (local_error);
 +  g_clear_object (&enumerator);
 +
 +  /* Double-check that `target` doesn’t exist */
 +  g_assert_false (g_file_query_exists (target_file, NULL));
 +
 +  /* Check the content of `source`. */
 +  g_file_load_contents (source_file,
 +                        NULL,
 +                        &contents,
 +                        &length,
 +                        NULL,
 +                        &local_error);
 +  g_assert_no_error (local_error);
 +  g_assert_cmpstr (contents, ==, new_contents);
 +  g_assert_cmpuint (length, ==, strlen (new_contents));
 +  g_free (contents);
 +
 +  /* Tidy up. */
 +  g_file_delete (source_file, NULL, &local_error);
 +  g_assert_no_error (local_error);
 +
 +  g_file_delete (tmpdir, NULL, &local_error);
 +  g_assert_no_error (local_error);
 +
 +  g_clear_object (&target_file);
 +  g_clear_object (&source_file);
 +  g_clear_object (&tmpdir);
 +#else  /* if !G_OS_UNIX */
 +  g_test_skip ("Symlink replacement tests can only be run on Unix")
 +#endif
 +}
 +
 static void
 on_file_deleted (GObject      *object,
 		 GAsyncResult *result,
@@ -1752,6 +1859,7 @@ main (int argc, char *argv[])
   g_test_add_data_func ("/file/async-create-delete/4096", GINT_TO_POINTER (4096), test_create_delete);
   g_test_add_func ("/file/replace-load", test_replace_load);
   g_test_add_func ("/file/replace-cancel", test_replace_cancel);
 +  g_test_add_func ("/file/replace-symlink", test_replace_symlink);
   g_test_add_func ("/file/async-delete", test_async_delete);
 #ifdef G_OS_UNIX
   g_test_add_func ("/file/copy-preserve-mode", test_copy_preserve_mode);
 -- 
 2.23.0
--- a/backport-0005-CVE-2021-28153.patch
+++ b/backport-0005-CVE-2021-28153.patch
@ -0,0 +1,56 @@
 From 6c6439261bc7a8a0627519848a7222b3e1bd4ffe Mon Sep 17 00:00:00 2001
 From: Philip Withnall <pwithnall@endlessos.org>
 Date: Wed, 24 Feb 2021 17:42:24 +0000
 Subject: [PATCH 5/5] glocalfileoutputstream: Add a missing O_CLOEXEC flag to
 replace()
 Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
 Conflict:NA
 Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/01c5468e10707cbf78e6e83bbcf1ce9c866f2885
 ---
 gio/glocalfileoutputstream.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)
 diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c
 index a2c7e3cc0..4c512ea81 100644
 --- a/gio/glocalfileoutputstream.c
 +++ b/gio/glocalfileoutputstream.c
@@ -63,6 +63,12 @@
 #define O_BINARY 0
 #endif
 +#ifndef O_CLOEXEC
 +#define O_CLOEXEC 0
 +#else
 +#define HAVE_O_CLOEXEC 1
 +#endif
 +
 struct _GLocalFileOutputStreamPrivate {
   char *tmp_filename;
   char *original_filename;
@@ -1239,7 +1245,7 @@ _g_local_file_output_stream_replace (const char        *filename,
   sync_on_close = FALSE;
   /* If the file doesn't exist, create it */
 -  open_flags = O_CREAT | O_EXCL | O_BINARY;
 +  open_flags = O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC;
   if (readable)
     open_flags |= O_RDWR;
   else
@@ -1269,8 +1275,11 @@ _g_local_file_output_stream_replace (const char        *filename,
       set_error_from_open_errno (filename, error);
       return NULL;
     }
 -  
 - 
 +#if !defined(HAVE_O_CLOEXEC) && defined(F_SETFD)
 +  else
 +    fcntl (fd, F_SETFD, FD_CLOEXEC);
 +#endif
 +
   stream = g_object_new (G_TYPE_LOCAL_FILE_OUTPUT_STREAM, NULL);
   stream->priv->fd = fd;
   stream->priv->sync_on_close = sync_on_close;
 -- 
 GitLab
--- a/backport-CVE-2021-27219.patch
+++ b/backport-CVE-2021-27219.patch
@ -21,6 +21,9 @@ Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
 Helps: GHSL-2021-045
 Helps: #2319
 reason:Fix CVE-2021-27219
 Conflict:NA
 Reference:https://gitlab.gnome.org/GNOME/glib/-/commit/20cfc75d148e3be0c026cc7eff3a9cdb72bf5c56
 diff -Naur a/docs/reference/glib/glib-sections.txt b/docs/reference/glib/glib-sections.txt
@ -790,3 +793,16 @@ diff -Naur a/gobject/tests/param.c b/gobject/tests/param.c
             g_test_add_data_func_full (test_path, test_data, test_param_implement_child, g_free);
             g_free (test_path);
           }
 diff -Naur a/gio/gwin32appinfo.c b/gio/gwin32appinfo.c
 index 9f335b3..2a0fe38 100644
 --- a/gio/gwin32appinfo.c
 +++ b/gio/gwin32appinfo.c
@@ -472,7 +472,7 @@ g_wcsdup (const gunichar2 *str, gssize str_size)
       str_size = wcslen (str) + 1;
       str_size *= sizeof (gunichar2);
     }
 -  return g_memdup (str, str_size);
 +  return g_memdup2 (str, str_size);
 }
 #define URL_ASSOCIATIONS L"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\"
--- a/glib2.spec
+++ b/glib2.spec
@ -1,6 +1,6 @@
 Name:           glib2
 Version:        2.62.5
-Release:        4
+Release:        5
 Summary:        The core library that forms the basis for projects such as GTK+ and GNOME
 License:        LGPLv2+
 URL:            http://www.gtk.org
@ -10,6 +10,11 @@ Patch9001:      fix-accidentally-delete-temp-file-within-dtrace.patch
 Patch6000:      backport-CVE-2020-35457.patch 
 Patch6001:      backport-CVE-2021-27218.patch
 Patch6002:      backport-CVE-2021-27219.patch
 Patch6003:      backport-0001-CVE-2021-28153.patch
 Patch6004:      backport-0002-CVE-2021-28153.patch
 Patch6005:      backport-0003-CVE-2021-28153.patch
 Patch6006:      backport-0004-CVE-2021-28153.patch
 Patch6007:      backport-0005-CVE-2021-28153.patch
 BuildRequires:  chrpath gcc gcc-c++ gettext gtk-doc perl-interpreter
 BUildRequires:  glibc-devel libattr-devel libselinux-devel meson
@ -146,6 +151,12 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
 %doc %{_datadir}/gtk-doc/html/*
 %changelog
 * Tue Apr 13 2021 hanhui<hanhui15@huawei.com> - 2.62.5-5
 - Type:cve
 - Id:CVE-2021-28153
 - SUG:NA
 - DESC:fix CVE-2021-28153
 * Sat Mar 6 2021 hanhui<hanhui15@huawei.com> - 2.62.5-4
 - Type:cve
 - Id:CVE-2021-27219