[Debian-med-packaging] Bug#981404: Bug#981404: compressed file is world readable, while zstd is running

Étienne Mollier etienne.mollier at mailoo.org
Mon Feb 1 21:57:15 GMT 2021 

Control: fixed -1 1.4.8+dfsg-1
Control: tag -1 patch

Greetings,

This critical issue is affecting Stable.  Permissions at
compression time are inherited from umask, this may be too
relaxed when handling sensitive files.

Fortunately, this seems to have been fixed upstream around
version 1.4.1.  Debian Sid is not affected anymore as far as I
can see.  I identified the few commits[1,2,3,4] from Mike
Swanson and Yann Collet which solved the issue.

[1] https://github.com/facebook/zstd/commit/3968160a916a759c3d3418da533e1b4f8b795343
[2] https://github.com/facebook/zstd/commit/af80f6dfacafcc2c916ecd57731107221e1f9986
[3] https://github.com/facebook/zstd/commit/8b6d96827c24dd09109830272f413254833317d9
[4] https://github.com/facebook/zstd/commit/7aaac3f69c1e0102099c192639017e660e88b4bf

After some folding, I obtained the following patch, with which I
could derive a fixed version of zstd 1.3.8 for Buster:

-------8<--------------8<--------------8<--------------8<-------
--- libzstd.orig/programs/fileio.c
+++ libzstd/programs/fileio.c
@@ -482,8 +482,14 @@
     }   }
 
     {   FILE* const f = fopen( dstFileName, "wb" );
-        if (f == NULL)
+        if (f == NULL) {
             DISPLAYLEVEL(1, "zstd: %s: %s\n", dstFileName, strerror(errno));
+        } else if (srcFileName != NULL
+                   && strcmp (srcFileName, stdinmark)
+                   && strcmp(dstFileName, nulmark) ) {
+                /* reduce rights on newly created dst file while compression is ongoing */
+            chmod(dstFileName, 00600);
+        }
         return f;
     }
 }
-------8<--------------8<--------------8<--------------8<-------

Side note to Debian Med, I know the package is transitionning to
pkg-rpm team, and I am not super comfortable yet preparing an
upload to Stable[5], so I'm just providing a proposal of patch
as a starter.

[5] https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions

Kind Regards,
-- 
Étienne Mollier <etienne.mollier at mailoo.org>
Fingerprint:  8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
Sent from /dev/pts/2, please excuse my verbosity.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20210201/23e6deef/attachment.sig>

More information about the Debian-med-packaging mailing list