CVE-2024-45339

Name	CVE-2024-45339
Description	When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-4056-1
Debian Bugs	1094733

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
golang-glog (PTS)	bullseye	0.0~git20160126.23def4e-3	vulnerable
	bullseye (security)	0.0~git20160126.23def4e-3+deb11u1	fixed
	bookworm	0.0~git20160126.23def4e-5	vulnerable
	sid, trixie	1.2.4-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
golang-glog	source	bullseye	0.0~git20160126.23def4e-3+deb11u1		DLA-4056-1
golang-glog	source	(unstable)	1.2.4-1			1094733

Notes

[bookworm] - golang-glog <no-dsa> (Minor issue)
Fixed by: https://github.com/golang/glog/commit/a0e3c40a0ed0cecc58c84e7684d9ce55a54044ee (v1.2.4)
Complete fix: https://github.com/golang/glog/pull/74