1928090 – (CVE-2021-24032) CVE-2021-24032 zstd: Race condition allows attacker to access world-readable destination file

Bug 1928090 (CVE-2021-24032) - CVE-2021-24032 zstd: Race condition allows attacker to access world-readable destination file

Summary: CVE-2021-24032 zstd: Race condition allows attacker to access world-readable ...

Keywords:
Status:	NEW
Alias:	CVE-2021-24032
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1928092 1935080 2254406 1928091 1928093 1928094 1929435 1934856 1935075 1935076 1935077 1935078 1935079 1950394
Blocks:	1928095
TreeView+	depends on / blocked

Reported:	2021-02-12 11:42 UTC by Michael Kaplan
Modified:	2023-12-13 19:16 UTC (History)
CC List:	28 users (show)
Fixed In Version:	zstd 1.4.9
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in zstd. While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).
Clone Of:
Environment:
Last Closed:	2022-12-21 23:31:04 UTC
Embargoed:

Attachments	(Terms of Use)

Description Michael Kaplan 2021-02-12 11:42:13 UTC

While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).

References:

https://github.com/facebook/zstd/issues/2491
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519

Comment 2 Michael Kaplan 2021-02-12 11:47:43 UTC

Created zstd tracking bugs for this issue:

Affects: epel-7 [bug 1928092]
Affects: fedora-all [bug 1928091]
Affects: openstack-rdo [bug 1928093]

Comment 11 Summer Long 2021-03-30 03:47:54 UTC

Statement:

* In OpenShift Container Platform (OCP) the zstd package was delivered in OCP 4.3 which is already end of life.

Comment 18 Sage McTaggart 2022-12-21 23:31:04 UTC

Closing as won't fix.

Comment 19 Sage McTaggart 2022-12-21 23:32:41 UTC

Reopening, woops.

Note You need to log in before you can comment on or make changes to this bug.

amctagga
anharris
aoconnor
bmontgom
bniver
eparis
flucifre
gmeno
hvyas
jamartis
jburrell
jjoyce
jschluet
kaycoth
lhh
lpeer
mbenjamin
mburns
mhackett
nstielau
p
psegedy
sclewis
slinaber
sostapov
sponnaga
vereddy
vmugicag