[Debian-med-packaging] Bug#982519: zstd: Race condition allows attacker to access world-readable destination file

Salvatore Bonaccorso carnil at debian.org
Thu Feb 18 05:19:29 GMT 2021


On Thu, Feb 11, 2021 at 08:33:58AM +0100, Sebastien Delafond wrote:
> Package: zstd
> Version: 1.4.8+dfsg-1
> Severity: grave
> Tags: security
> X-Debbugs-Cc: team at security.debian.org
> 
> The recently applied patch still creates the file with the default
> umask[0], before chmod'ing down to 0600, so an attacker could still open
> it in the meantime.

FTR, this has been fixed upstream.

https://github.com/facebook/zstd/commit/a774c5797399040af62db21d8a9b9769e005430e

Regards,
Salvatore



More information about the Debian-med-packaging mailing list