Your message dated Wed, 24 Feb 2021 17:32:41 +0000 with message-id <e1ley1h-000cvg...@fasolo.debian.org> and subject line Bug#982519: fixed in libzstd 1.3.8+dfsg-3+deb10u2 has caused the Debian Bug report #982519, regarding zstd: Race condition allows attacker to access world-readable destination file to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 982519: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: zstd Version: 1.4.8+dfsg-1 Severity: grave Tags: security X-Debbugs-Cc: t...@security.debian.org The recently applied patch still creates the file with the default umask[0], before chmod'ing down to 0600, so an attacker could still open it in the meantime. Cheers, -- Seb [0] https://github.com/facebook/zstd/blob/dev/programs/fileio.c#L682
--- End Message ---
--- Begin Message ---Source: libzstd Source-Version: 1.3.8+dfsg-3+deb10u2 Done: Étienne Mollier <etienne.moll...@mailoo.org> We believe that the bug you reported is fixed in the latest version of libzstd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 982...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Étienne Mollier <etienne.moll...@mailoo.org> (supplier of updated libzstd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Feb 2021 12:59:48 +0100 Source: libzstd Architecture: source Version: 1.3.8+dfsg-3+deb10u2 Distribution: buster-security Urgency: high Maintainer: Debian Med Packaging Team <debian-med-packag...@lists.alioth.debian.org> Changed-By: Étienne Mollier <etienne.moll...@mailoo.org> Closes: 982519 Changes: libzstd (1.3.8+dfsg-3+deb10u2) buster-security; urgency=high . * Team upload. * The previous fix-file-permissions-on-compression.patch almost closed the window of the race condition, but not completely. This patch, adapted from upstream, 0017-fix-file-permissions-on-compression.patch, replaces the previous attempt by erasing the umask before opening the destination file. Closes: #982519 Checksums-Sha1: 03d81ebef581456fe05ed1b29c04b7a246397e31 1947 libzstd_1.3.8+dfsg-3+deb10u2.dsc 15d166c14fb22f550ae877780e7df4181db3db99 11648 libzstd_1.3.8+dfsg-3+deb10u2.debian.tar.xz 59e9ea6e541e66619ccd623c803bff02a73fa9d2 7283 libzstd_1.3.8+dfsg-3+deb10u2_amd64.buildinfo Checksums-Sha256: 572fae1c7dc9bace3b9f7fcdeabf30dd1d00d0462e319ccec7b58b0adbf7dc85 1947 libzstd_1.3.8+dfsg-3+deb10u2.dsc 1f107f6cdc3bf46fb2aebf9c5c997ed2a125ac2fb1d28e939da857d5b061079e 11648 libzstd_1.3.8+dfsg-3+deb10u2.debian.tar.xz 4a9e21b3a79b55dc746cc49e73a071dcecc0dc72d337c1b7d7ea1e5d2cd5eeb5 7283 libzstd_1.3.8+dfsg-3+deb10u2_amd64.buildinfo Files: 0b2a0be995c017b99e7127727983a08f 1947 libs optional libzstd_1.3.8+dfsg-3+deb10u2.dsc e89a2db50691a011ba72efe6b207f8fc 11648 libs optional libzstd_1.3.8+dfsg-3+deb10u2.debian.tar.xz dedf0ea07aeba086357e2f1cc5529d47 7283 libs optional libzstd_1.3.8+dfsg-3+deb10u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmAvkY4ACgkQEL6Jg/PV nWSsCwf/RC+pOALg8V4rP3nRB9z8mkQ9UB+5jdge8iOgI8AYJquWPtgj9OElh+eF Sf/hFRA8dbaE/vK0ytoTvPUHQftI+tSgkwsRFrvSA33jUrU+LziRsYy8ruBHSQ1j c/E2oskPswzDN3OCwWMjNYMzmmRg0w1z9BsiFDSMpTN1C1BCncL8qXiTBbL3OT8n msJpxQC8jyomZvtymB9rgqRgJqJcyg2WZTmtZhBUXOQb/GsVeDSUhTI8SDYG6KrW NCpqC4N3Q1ECaFWA9TJJJyqOlK2TWf6IUi8MC2Pko0xqE75GOZj92fl9vBUCsVgR W3q6cPwPXRAXrHXXZpotKBwPseY4Vw== =aPXH -----END PGP SIGNATURE-----
--- End Message ---
