Vulnerability Description
The g_file_copy function in glib 2.0 sets the permissions of a target file to the permissions of a symbolic link (777), which allows user-assisted local users to modify files of other users, as demonstrated by using Nautilus to modify the permissions of the user home directory.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnome | Glib | 2.0 |
| Opensuse | Opensuse | 11.0 |
| Suse | Suse Linux Enterprise Server | 11 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00006.htmlThird Party Advisory
- http://secunia.com/advisories/39656Broken Link
- http://www.openwall.com/lists/oss-security/2009/09/08/8Mailing List
- http://www.vupen.com/english/advisories/2010/1001Permissions Required
- https://bugs.launchpad.net/ubuntu/+source/glib2.0/+bug/418135ExploitIssue Tracking
- https://bugzilla.gnome.org/show_bug.cgi?id=593406ExploitIssue Tracking
- http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00006.htmlThird Party Advisory
- http://secunia.com/advisories/39656Broken Link
- http://www.openwall.com/lists/oss-security/2009/09/08/8Mailing List
- http://www.vupen.com/english/advisories/2010/1001Permissions Required
- https://bugs.launchpad.net/ubuntu/+source/glib2.0/+bug/418135ExploitIssue Tracking
- https://bugzilla.gnome.org/show_bug.cgi?id=593406ExploitIssue Tracking
FAQ
What is CVE-2009-3289?
CVE-2009-3289 is a vulnerability with a CVSS score of 7.8 (HIGH). The g_file_copy function in glib 2.0 sets the permissions of a target file to the permissions of a symbolic link (777), which allows user-assisted local users to modify files of other users, as demons...
How severe is CVE-2009-3289?
CVE-2009-3289 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-3289?
Check the references section above for vendor advisories and patch information. Affected products include: Gnome Glib, Opensuse Opensuse, Suse Suse Linux Enterprise Server.