diff -Nru command-not-found-18.04.5/cnf-update-db command-not-found-18.04.6/cnf-update-db
--- command-not-found-18.04.5/cnf-update-db	2018-03-19 11:04:49.000000000 +0000
+++ command-not-found-18.04.6/cnf-update-db	2022-02-14 17:26:36.000000000 +0000
@@ -22,6 +22,8 @@
 
     command_files = glob.glob("/var/lib/apt/lists/*Commands-*")
     if len(command_files) > 0:
+        umask = os.umask(0o22)
         col = DbCreator(command_files)
         col.create(db)
+        os.umask(umask)
 
diff -Nru command-not-found-18.04.5/CommandNotFound/CommandNotFound.py command-not-found-18.04.6/CommandNotFound/CommandNotFound.py
--- command-not-found-18.04.5/CommandNotFound/CommandNotFound.py	2018-05-04 07:53:36.000000000 +0000
+++ command-not-found-18.04.6/CommandNotFound/CommandNotFound.py	2022-02-14 17:26:36.000000000 +0000
@@ -77,7 +77,7 @@
     def __init__(self, data_dir="/usr/share/command-not-found"):
         self.sources_list = self._getSourcesList()
         # a new style DB means we can skip loading the old legacy static DB
-        if os.path.exists(dbpath):
+        if os.path.exists(dbpath) and os.access(dbpath, os.R_OK):
             self.db = SqliteDatabase(dbpath)
         elif os.path.exists(legacy_db):
             self.db = SqliteDatabase(legacy_db)
diff -Nru command-not-found-18.04.5/debian/changelog command-not-found-18.04.6/debian/changelog
--- command-not-found-18.04.5/debian/changelog	2018-05-05 06:41:03.000000000 +0000
+++ command-not-found-18.04.6/debian/changelog	2022-02-14 17:26:36.000000000 +0000
@@ -1,3 +1,15 @@
+command-not-found (18.04.6) bionic; urgency=medium
+
+  [ Arnaud Rebillout ]
+  * cnf: Bail out early if the database is not readable
+  * cnf-update-db: Creates a world-readable database (Closes: #986461)
+  * Add test to make sure that the database is world-readable
+
+  [ Kellen Renshaw ]
+  * Cherry-pick cnf-update-db umask fixes from 22.04 (LP: #1953610)
+
+ -- Kellen Renshaw <kellen.renshaw@canonical.com>  Mon, 14 Feb 2022 10:26:36 -0700
+
 command-not-found (18.04.5) bionic; urgency=medium
 
   * Ensure /snap/bin is in PATH when checking for commands
diff -Nru command-not-found-18.04.5/debian/tests/smoke command-not-found-18.04.6/debian/tests/smoke
--- command-not-found-18.04.5/debian/tests/smoke	2018-03-16 11:23:59.000000000 +0000
+++ command-not-found-18.04.6/debian/tests/smoke	2022-02-14 17:26:36.000000000 +0000
@@ -18,3 +18,8 @@
 
 echo "Ensure c-n-f works as user"
 su -l testuser -c "/usr/lib/command-not-found --ignore-installed konsole" 2>&1 | grep konsole
+
+echo "Ensure c-n-f database is world-readable"    # cf. #986461
+rm -f /var/lib/command-not-found/*
+(umask 0077 && /usr/lib/cnf-update-db)
+su -l testuser -c "/usr/lib/command-not-found --ignore-installed emacs" 2>&1 | grep emacs