Backport CVE-2021-28153 symlink fix to GLib 2.58
Debian 10 contains GLib 2.58 and is supported for a bit more than 1 more year, so I need to backport the CVE-2021-28153 symlink attack fix to that version. Similar to !2000 (merged), I'd like to do this upstream.
I do not intend this to imply any particular upstream support for GLib 2.58, and in particular I don't plan to make any new GLib 2.58.x releases.
-
glocalfileoutputstream: Fix a typo in a comment
From: @pwithnall
Trivial cherry-pick of 78420a75
-
tests: Stop using g_test_bug_base() in file tests
From: @pwithnall
Since a following commit is going to add a new test which references Gitlab, so it’s best to move the URI bases inside the test cases.
Backported to GLib 2.58 by Simon McVittie.
Signed-off-by: @pwithnall
(cherry-picked from commit 32d3d02a)
[GLib 2.58.x did not allow g_test_bug() without g_test_bug_base(),
so use an empty string as the base]
Signed-off-by: @smcv -
glocalfileoutputstream: Factor out a flag check
From: @pwithnall
Cherry-pick of ce0eb088, applies after resolving simple conflicts (an adjacent line changed).
-
glocalfileoutputstream: Fix CREATE_REPLACE_DESTINATION with symlinks
From: @pwithnall
Resolves CVE-2021-28153 (#2325 (closed)). Backported to GLib 2.58 by Simon McVittie.
Signed-off-by: @pwithnall
(cherry-picked from commit 317b3b58)
[Backport to 2.58.x: replace g_local_file_fstat with fstat]
[Backport to 2.58.x: replace g_local_file_lstat with lstat]
[Backport to 2.58.x: replace _g_stat_mode with direct access to st_mode]
[Backport to 2.58.x: don't call g_test_summary()]
Signed-off-by: @smcv -
glocalfileoutputstream: Add a missing O_CLOEXEC flag to replace()
From: @pwithnall
Trivial cherry-pick of 6c643926