CVE-2009-3289 — Incorrect Permission Assignment in Glib

CWE-732 — Incorrect Permission Assignment8 documents8 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 77.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnome Glib Opensuse Suse Linux Enterprise Server

Timeline

PublishedSep 22

Latest updateMay 2

Description

The g_file_copy function in glib 2.0 sets the permissions of a target file to the permissions of a symbolic link (777), which allows user-assisted local users to modify files of other users, as demonstrated by using Nautilus to modify the permissions of the user home directory.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶NVDgnome/glib2.0

▶NVDopensuse/opensuse11.0, 11.1+1

▶NVDsuse/suse_linux_enterprise_server11

🔴Vulnerability Details

GHSA

GHSA-q7q8-g4m3-j3pq: The g_file_copy function in glib 2↗2022-05-02

▶

OSV

CVE-2009-3289: The g_file_copy function in glib 2↗2009-09-22

▶

CVEList

CVE-2009-3289: The g_file_copy function in glib 2↗2009-09-22

▶

📋Vendor Advisories

Ubuntu

GLib vulnerability↗2009-10-05

▶

Red Hat

glib2: folder | symlink permissions change after copy via nautilus↗2009-08-28

▶

Debian

CVE-2009-3289: glib2.0 - The g_file_copy function in glib 2.0 sets the permissions of a target file to th...↗2009

▶

💬Community

Bugzilla

CVE-2009-3289 glib2: folder | symlink permissions change after copy via nautilus↗2009-09-22

▶