Anolis OS update for glib2 (Anolis OS 8.4)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2021-27219 CVE-2019-13012 CVE-2019-12450 |
| CWE-ID | CWE-190 CWE-276 CWE-264 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system glib2-tests Operating systems & Components / Operating system package or component glib2-fam Operating systems & Components / Operating system package or component glib2-devel Operating systems & Components / Operating system package or component glib2 Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Integer overflow
EUVDB-ID: #VU51456
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-27219
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to integer overflow within the g_bytes_new() function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. A local user can run a specially crafted program to trigger an integer overflow and execute arbitrary code with elevated privileges.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
glib2-tests: before 2.56.4-10
glib2-fam: before 2.56.4-10
glib2-devel: before 2.56.4-10
glib2: before 2.56.4-10
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:glib2-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:glib2-fam:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:glib2-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:glib2:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2021:0031
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Incorrect default permissions
EUVDB-ID: #VU18944
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-13012
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for files and folders that are set by the application. A local user with access to the system can view contents of files and directories or modify them.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
glib2-tests: before 2.56.4-10
glib2-fam: before 2.56.4-10
glib2-devel: before 2.56.4-10
glib2: before 2.56.4-10
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:glib2-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:glib2-fam:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:glib2-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:glib2:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2021:0031
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU18658
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-12450
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the application applies default directory permissions to files while copying them in file_copy_fallback() function in gio/gfile.c. A local user can interfere with the copying operation and gain access to otherwise restricted files, as the application applies correct access permissions after the file was copied only.
Such application behavior allows a local user to access potentially sensitive data or modify file contents in case directory permissions that were applied to the file allow such operations.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
glib2-tests: before 2.56.4-10
glib2-fam: before 2.56.4-10
glib2-devel: before 2.56.4-10
glib2: before 2.56.4-10
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:glib2-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:glib2-fam:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:glib2-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:glib2:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2021:0031
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
