[Debian-med-packaging] Bug#982519: Bug#981404: Fix seems incomplete

Salvatore Bonaccorso carnil at debian.org
Thu Feb 11 15:54:53 GMT 2021


Hi Feri,,

On Thu, Feb 11, 2021 at 11:26:47AM +0100, wferi at niif.hu wrote:
> Hi,
> 
> The patch in this bug report very much shrinks the window of the
> vulnerability, but doesn't close it completely: the file is still
> created with default permissions, then chmodded as a separate step.
> It's hard, but not impossible to still win the race and open the file
> before the chmod, enabling the same attack.  I recommend something like
> 
> fd = open(dstFileName, O_WRONLY|O_CREAT|O_EXCL, 0600);
> if (fd != -1)
>     f = fdopen( fd, "wb" );
> if (fd == -1 || f == NULL)
>     DISPLAYLEVEL(1, "zstd: %s: %s\n", dstFileName, strerror(errno));
> return f;
> 
> for example.

See #982519 respectively https://github.com/facebook/zstd/issues/2491
upstream.

Regards,
Salvatore



More information about the Debian-med-packaging mailing list