Bug 2210921 (CVE-2023-30571)

Summary: CVE-2023-30571 libarchive: Race condition in multi-threaded use of archive_write_disk_header() on posix based systems
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: databases-maint, dornelas, hhorak, kyoshida, ljavorsk, pkubat, praiskup, zmiklank
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in libarchive. This issue can cause a race condition in a multi-threaded use of archive_write_disk_header() on posix based systems, which could allow implicit directory creation with permissions 777, without sticky bit, which means any low privileged user on the system can delete and rename files inside those directories.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2210922, 2210923, 2210924, 2210925, 2210926, 2210927, 2210928, 2210929, 2210930    
Bug Blocks: 2210884    

Description Sandipan Roy 2023-05-30 04:18:46 UTC 
Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories.

https://groups.google.com/g/libarchive-announce
https://github.com/libarchive/libarchive/issues/1876
Comment 1 Sandipan Roy 2023-05-30 04:21:26 UTC 
Created cmake3 tracking bugs for this issue:

Affects: epel-7 [bug 2210924]


Created libarchive tracking bugs for this issue:

Affects: fedora-37 [bug 2210925]
Affects: fedora-38 [bug 2210927]


Created mingw-libarchive tracking bugs for this issue:

Affects: fedora-37 [bug 2210926]
Affects: fedora-38 [bug 2210928]
Comment 3 Lukas Javorsky 2023-05-30 07:09:19 UTC 
Hi,

In the description you've reported that this is affecting only libarchive-3.6.2 version.

However, we don't have this version released in any of our products.

Are older releases affected as well?
Comment 12 Lukas Javorsky 2023-07-31 10:16:11 UTC 
Adding upstream's documentation for this CVE:

```
  The function `archive_write_disk_header()` is _not_ thread safe on
  POSIX machines and could lead to security issue resulting in world
  writeable directories.  Thus it must be mutexed by the calling code.
  This is due to calling `umask(oldumask = umask(0))`, which sets the
  umask for the whole process to 0 for a short time frame.
  In case other thread calls the same function in parallel, it might
  get interrupted by it and cause the executable to use umask=0 for the
  remaining execution.
  This will then lead to implicitely created directories to have 777
  permissions without sticky bit.
```