[Debian-med-packaging] Bug#982519: zstd: Race condition allows attacker to access world-readable destination file
Salvatore Bonaccorso
carnil at debian.org
Thu Feb 18 05:19:29 GMT 2021
On Thu, Feb 11, 2021 at 08:33:58AM +0100, Sebastien Delafond wrote:
> Package: zstd
> Version: 1.4.8+dfsg-1
> Severity: grave
> Tags: security
> X-Debbugs-Cc: team at security.debian.org
>
> The recently applied patch still creates the file with the default
> umask[0], before chmod'ing down to 0600, so an attacker could still open
> it in the meantime.
FTR, this has been fixed upstream.
https://github.com/facebook/zstd/commit/a774c5797399040af62db21d8a9b9769e005430e
Regards,
Salvatore
More information about the Debian-med-packaging
mailing list