[Debian-med-packaging] Bug#982519: zstd: Race condition allows attacker to access world-readable destination file
Sebastien Delafond
seb at debian.org
Thu Feb 11 07:33:58 GMT 2021
Package: zstd
Version: 1.4.8+dfsg-1
Severity: grave
Tags: security
X-Debbugs-Cc: team at security.debian.org
The recently applied patch still creates the file with the default
umask[0], before chmod'ing down to 0600, so an attacker could still open
it in the meantime.
Cheers,
--
Seb
[0] https://github.com/facebook/zstd/blob/dev/programs/fileio.c#L682
More information about the Debian-med-packaging
mailing list