[med-svn] [Git][med-team/libzstd][master] 5 commits: initialize changelog

Thu Feb 18 10:21:01 GMT 2021


Ã‰tienne Mollier pushed to branch master at Debian Med / libzstd


Commits:
493cea9a by Ã‰tienne Mollier at 2021-02-18T09:17:30+01:00
initialize changelog

- - - - -
9f3819d8 by Ã‰tienne Mollier at 2021-02-18T09:25:52+01:00
add 0018-fix-file-permissions-on-compression.patch

- - - - -
fc8a0342 by Ã‰tienne Mollier at 2021-02-18T09:54:28+01:00
ready to upload to unstable (urgency=high)

- - - - -
a5dc7a36 by Ã‰tienne Mollier at 2021-02-18T10:58:51+01:00
patch header dep3

- - - - -
7ba50761 by Ã‰tienne Mollier at 2021-02-18T11:04:41+01:00
clarified log entry

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/0018-fix-file-permissions-on-compression.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,17 @@
+libzstd (1.4.8+dfsg-2) unstable; urgency=high
+
+  * Team upload.
+  * When a file with restricted permissions is compressed, the resulting file
+    inherits the umask of the user for the time of the compression.  This was
+    partially mitigated previously by running a change of permissions after a
+    `chmod`, but left a small but exploitable window just after the `fopen`.
+    This update adds 0018-fix-file-permissions-on-compression.patch to make
+    sure the compressed file is not group nor world readable for the _entire_
+    duration of the compression.
+    Closes: #982519
+
+ -- Ã‰tienne Mollier <etienne.mollier at mailoo.org>  Thu, 18 Feb 2021 09:52:53 +0100
+
 libzstd (1.4.8+dfsg-1) unstable; urgency=medium
 
   * New upstream version 1.4.8+dfsg, Closes: #977829


=====================================
debian/patches/0018-fix-file-permissions-on-compression.patch
=====================================
@@ -0,0 +1,81 @@
+Description: fix race condition allowing attackers to access destination file
+ This commit addresses https://github.com/facebook/zstd/issues/2491.
+ .
+ Note that a downside of this solution is that it is global: `umask()` affects
+ all file creation calls in the process. I believe this is safe since
+ `fileio.c` functions should only ever be used in the zstd binary, and these
+ are (almost) the only files ever created by zstd, and AIUI they're only
+ created in a single thread. So we can get away with messing with global state.
+ .
+ Note that this doesn't change the permissions of files created by `dibio.c`.
+ I'm not sure what those should be...
+Author: W. Felix Handte <w at felixhandte.com>
+Origin: upstream
+Bug: https://github.com/facebook/zstd/issues/2491
+Bug-Debian: https://github.com/facebook/zstd/issues/2491
+Applied-Upstream: commit:a774c5797399040af62db21d8a9b9769e005430e
+Reviewed-by: Ã‰tienne Mollier <etienne.mollier at mailoo.org>
+Last-Update: 2021-02-18
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libzstd.orig/programs/fileio.c
++++ libzstd/programs/fileio.c
+@@ -675,14 +675,11 @@
+             FIO_removeFile(dstFileName);
+     }   }
+ 
+-    {   FILE* const f = fopen( dstFileName, "wb" );
++    {   const int old_umask = UTIL_umask(0177); /* u-x,go-rwx */
++        FILE* const f = fopen( dstFileName, "wb" );
++        UTIL_umask(old_umask);
+         if (f == NULL) {
+             DISPLAYLEVEL(1, "zstd: %s: %s\n", dstFileName, strerror(errno));
+-        } else if (srcFileName != NULL
+-               && strcmp (srcFileName, stdinmark)
+-               && strcmp(dstFileName, nulmark) ) {
+-            /* reduce rights on newly created dst file while compression is ongoing */
+-            UTIL_chmod(dstFileName, NULL, 00600);
+         }
+         return f;
+     }
+--- libzstd.orig/programs/util.c
++++ libzstd/programs/util.c
+@@ -159,6 +159,15 @@
+     return chmod(filename, permissions);
+ }
+ 
++int UTIL_umask(int mode) {
++#if PLATFORM_POSIX_VERSION > 0
++    return umask(mode);
++#else
++    /* do nothing, fake return value */
++    return mode;
++#endif
++}
++
+ int UTIL_setFileStat(const char *filename, const stat_t *statbuf)
+ {
+     int res = 0;
+--- libzstd.orig/programs/util.h
++++ libzstd/programs/util.h
+@@ -22,7 +22,7 @@
+ #include "platform.h"     /* PLATFORM_POSIX_VERSION, ZSTD_NANOSLEEP_SUPPORT, ZSTD_SETPRIORITY_SUPPORT */
+ #include <stddef.h>       /* size_t, ptrdiff_t */
+ #include <sys/types.h>    /* stat, utime */
+-#include <sys/stat.h>     /* stat, chmod */
++#include <sys/stat.h>     /* stat, chmod, umask */
+ #include "../lib/common/mem.h"          /* U64 */
+ 
+ 
+@@ -152,6 +152,11 @@
+  */
+ int UTIL_chmod(char const* filename, const stat_t* statbuf, mode_t permissions);
+ 
++/**
++ * Wraps umask(). Does nothing when the platform doesn't have that concept.
++ */
++int UTIL_umask(int mode);
++
+ /*
+  * In the absence of a pre-existing stat result on the file in question, these
+  * functions will do a stat() call internally and then use that result to


=====================================
debian/patches/series
=====================================
@@ -4,3 +4,4 @@
 0014-Reproducible-build.patch
 0015-Skip-dev-random-tests-on-hurd.patch
 0017-alpha-fbfs-st_mtime.patch
+0018-fix-file-permissions-on-compression.patch



View it on GitLab: https://salsa.debian.org/med-team/libzstd/-/compare/a4fc318f32484bd45316d80a5b4a87c3f640c293...7ba507613501e6bcc6b8c6c2506d7e198d6ccd30

-- 
View it on GitLab: https://salsa.debian.org/med-team/libzstd/-/compare/a4fc318f32484bd45316d80a5b4a87c3f640c293...7ba507613501e6bcc6b8c6c2506d7e198d6ccd30
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-med-commit/attachments/20210218/595b79f0/attachment-0001.html>
