1934852 – (CVE-2021-24031) CVE-2021-24031 zstd: adds read permissions to files while being compressed or uncompressed

Bug 1934852 (CVE-2021-24031) - CVE-2021-24031 zstd: adds read permissions to files while being compressed or uncompressed

Summary: CVE-2021-24031 zstd: adds read permissions to files while being compressed or...

Keywords:
Status:	NEW
Alias:	CVE-2021-24031
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1934853 1935080 1929435 1934854 1934855 1934856 1935075 1935076 1935077 1935078 1935079
Blocks:	1928095
TreeView+	depends on / blocked

Reported:	2021-03-03 21:36 UTC by Sage McTaggart
Modified:	2023-07-07 08:31 UTC (History)
CC List:	26 users (show)
Fixed In Version:	zstd 1.4.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in zstd. While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).
Clone Of:
Environment:
Last Closed:	2022-12-21 23:30:26 UTC
Embargoed:

Attachments	(Terms of Use)

Description Sage McTaggart 2021-03-03 21:36:11 UTC

While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).

References:
https://github.com/facebook/zstd/issues/1630
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404

Comment 3 Sage McTaggart 2021-03-03 21:37:30 UTC

Created zstd tracking bugs for this issue:

Affects: epel-7 [bug 1934853]
Affects: fedora-all [bug 1934854]
Affects: openstack-rdo [bug 1934855]

Comment 7 Summer Long 2021-03-30 03:47:16 UTC

Statement:

* In OpenShift Container Platform (OCP) the zstd package was delivered in OCP 4.3 which is already end of life.

Comment 11 Sage McTaggart 2022-12-21 23:30:26 UTC

Closing as won't fix.

Comment 12 Sage McTaggart 2022-12-21 23:39:38 UTC

reopening, woops, meant to close a tracker.

Note You need to log in before you can comment on or make changes to this bug.

anharris
bmontgom
bniver
eparis
flucifre
gmeno
hvyas
jamartis
jburrell
jjoyce
jschluet
kaycoth
lhh
lpeer
mbenjamin
mburns
mhackett
nstielau
p
psegedy
sclewis
slinaber
sostapov
sponnaga
vereddy
vmugicag