Bug 1928090 (CVE-2021-24032)

Summary: CVE-2021-24032 zstd: Race condition allows attacker to access world-readable destination file
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: amctagga, anharris, aoconnor, bmontgom, bniver, caswilli, dfreiber, drow, eglynn, eparis, flucifre, gmeno, hvyas, jamartis, jburrell, jdobes, jjoyce, jsamir, jschluet, kaycoth, lhh, lpeer, lsvaty, mbenjamin, mburns, mgarciac, mhackett, nstielau, orabin, p, pgrist, psegedy, rblanco, sclewis, slinaber, sostapov, sponnaga, sthirugn, vereddy, vkrizan, vkumar, vmugicag
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: zstd 1.4.9 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in zstd. While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-21 23:31:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1935080, 2254406, 2306553, 1928091, 1928092, 1928093, 1928094, 1929435, 1934856, 1935075, 1935076, 1935077, 1935078, 1935079, 1950394    
Bug Blocks: 1928095    

Description Michael Kaplan 2021-02-12 11:42:13 UTC 
While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).

References:

https://github.com/facebook/zstd/issues/2491
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519
Comment 2 Michael Kaplan 2021-02-12 11:47:43 UTC 
Created zstd tracking bugs for this issue:

Affects: epel-7 [bug 1928092]
Affects: fedora-all [bug 1928091]
Affects: openstack-rdo [bug 1928093]
Comment 11 Summer Long 2021-03-30 03:47:54 UTC 
Statement:

* In OpenShift Container Platform (OCP) the zstd package was delivered in OCP 4.3 which is already end of life.
Comment 18 Sage McTaggart 2022-12-21 23:31:04 UTC 
Closing as won't fix.
Comment 19 Sage McTaggart 2022-12-21 23:32:41 UTC 
Reopening, woops.
Comment 32 errata-xmlrpc 2024-05-30 20:24:47 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.7.0

Via RHSA-2024:3527 https://access.redhat.com/errata/RHSA-2024:3527