Bug 1928090 (CVE-2021-24032) - CVE-2021-24032 zstd: Race condition allows attacker to access world-readable destination file
Summary: CVE-2021-24032 zstd: Race condition allows attacker to access world-readable ...
Keywords:
Status: NEW
Alias: CVE-2021-24032
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 1935080 2254406 2306553 1928091 1928092 1928093 1928094 1929435 1934856 1935075 1935076 1935077 1935078 1935079 1950394
Blocks: 1928095
TreeView+ depends on / blocked
 
Reported: 2021-02-12 11:42 UTC by Michael Kaplan
Modified: 2025-02-04 17:21 UTC (History)
42 users (show)

Fixed In Version: zstd 1.4.9
Clone Of:
Environment:
Last Closed: 2022-12-21 23:31:04 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:3527 0 None None None 2024-05-30 20:24:50 UTC

Description Michael Kaplan 2021-02-12 11:42:13 UTC 
While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).

References:

https://github.com/facebook/zstd/issues/2491
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519
Comment 2 Michael Kaplan 2021-02-12 11:47:43 UTC 
Created zstd tracking bugs for this issue:

Affects: epel-7 [bug 1928092]
Affects: fedora-all [bug 1928091]
Affects: openstack-rdo [bug 1928093]
Comment 11 Summer Long 2021-03-30 03:47:54 UTC 
Statement:

* In OpenShift Container Platform (OCP) the zstd package was delivered in OCP 4.3 which is already end of life.
Comment 18 Sage McTaggart 2022-12-21 23:31:04 UTC 
Closing as won't fix.
Comment 19 Sage McTaggart 2022-12-21 23:32:41 UTC 
Reopening, woops.
Comment 32 errata-xmlrpc 2024-05-30 20:24:47 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.7.0

Via RHSA-2024:3527 https://access.redhat.com/errata/RHSA-2024:3527
Note You need to log in before you can comment on or make changes to this bug.