read from relative path in g_printerr() in 2.58.3
Tested Version: 2.58.3
I work with Debian "buster" (4.19.0-6-amd64 # 1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 GNU/Linux) and tested only the version that comes with it. Not sure if this issue is debian specific or not; I got confused by how GLIB_CHARSETALIAS_DIR ends up being defined in the build process.
Problem: _g_locale_get_charset_aliases() in glib/libcharset/localcharset.c reads from the (compiletime) hardcoded relative path "lib/x86_64-linux-gnu/charset.alias", this should be the absolute path "/lib/x86_64-linux-gnu/charset.alias".
The bug manifests for example in the setuid /usr/bin/pkexec from policykit-1, that uses the library:
/tmp$ mkdir -p lib/x86_64-linux-gnu
/tmp$ ln -s /dev/tty1 lib/x86_64-linux-gnu/charset.alias
/tmp$ /usr/bin/pkexec /bin/id
Press "cancel" on the window appearing; pkexec now tries to print an error message, using g_printerror() from glib2.0 and in the process reads the file linked to with root privileges. In the case of a tty this amounts to a denial of service for a user working on that tty.
A trace of the process shows the problematic open:
...
openat(AT_FDCWD, "lib/x86_64-linux-gnu/charset.alias", O_RDONLY) = 8
...
Walter Misar