Bug 1934852 (CVE-2021-24031)

Summary: CVE-2021-24031 zstd: adds read permissions to files while being compressed or uncompressed
Product: [Other] Security Response Reporter: Sage McTaggart <amctagga>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: anharris, bmontgom, bniver, eparis, flucifre, gmeno, hvyas, jamartis, jburrell, jjoyce, jschluet, kaycoth, lhh, lpeer, mbenjamin, mburns, mhackett, nstielau, p, psegedy, sclewis, slinaber, sostapov, sponnaga, vereddy, vmugicag
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: zstd 1.4.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in zstd. While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-21 23:30:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1934853, 1935080, 1929435, 1934854, 1934855, 1934856, 1935075, 1935076, 1935077, 1935078, 1935079    
Bug Blocks: 1928095    

Description Sage McTaggart 2021-03-03 21:36:11 UTC
While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).

References:
https://github.com/facebook/zstd/issues/1630
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404

Comment 3 Sage McTaggart 2021-03-03 21:37:30 UTC
Created zstd tracking bugs for this issue:

Affects: epel-7 [bug 1934853]
Affects: fedora-all [bug 1934854]
Affects: openstack-rdo [bug 1934855]

Comment 7 Summer Long 2021-03-30 03:47:16 UTC
Statement:

* In OpenShift Container Platform (OCP) the zstd package was delivered in OCP 4.3 which is already end of life.

Comment 11 Sage McTaggart 2022-12-21 23:30:26 UTC
Closing as won't fix.

Comment 12 Sage McTaggart 2022-12-21 23:39:38 UTC
reopening, woops, meant to close a tracker.