diff -Nru libzstd-1.3.3+dfsg/debian/changelog libzstd-1.3.3+dfsg/debian/changelog --- libzstd-1.3.3+dfsg/debian/changelog 2019-08-20 18:19:17.000000000 +0000 +++ libzstd-1.3.3+dfsg/debian/changelog 2021-03-03 15:51:37.000000000 +0000 @@ -1,3 +1,14 @@ +libzstd (1.3.3+dfsg-2ubuntu1.2) bionic-security; urgency=medium + + * SECURITY UPDATE: race condition allows attacker to access + world-readable destination file + - debian/patches/0017-fix-file-permissions-on-compression.patch: set + umask in programs/fileio.c, programs/util.h. + - CVE-2021-24031 + - CVE-2021-24032 + + -- Marc Deslauriers Wed, 03 Mar 2021 10:51:37 -0500 + libzstd (1.3.3+dfsg-2ubuntu1.1) bionic-security; urgency=medium [ Eduardo Barretto ] diff -Nru libzstd-1.3.3+dfsg/debian/patches/0017-fix-file-permissions-on-compression.patch libzstd-1.3.3+dfsg/debian/patches/0017-fix-file-permissions-on-compression.patch --- libzstd-1.3.3+dfsg/debian/patches/0017-fix-file-permissions-on-compression.patch 1970-01-01 00:00:00.000000000 +0000 +++ libzstd-1.3.3+dfsg/debian/patches/0017-fix-file-permissions-on-compression.patch 2021-03-03 15:51:37.000000000 +0000 @@ -0,0 +1,54 @@ +Description: fix race condition allowing attackers to access destination file + This commit addresses https://github.com/facebook/zstd/issues/2491. + . + Note that a downside of this solution is that it is global: `umask()` affects + all file creation calls in the process. I believe this is safe since + `fileio.c` functions should only ever be used in the zstd binary, and these + are (almost) the only files ever created by zstd, and AIUI they're only + created in a single thread. So we can get away with messing with global state. + . + Note that this doesn't change the permissions of files created by `dibio.c`. + I'm not sure what those should be... +Author: W. Felix Handte +Origin: upstream +Bug: https://github.com/facebook/zstd/issues/2491 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519 +Applied-Upstream: commit:a774c5797399040af62db21d8a9b9769e005430e +Reviewed-by: Étienne Mollier +Last-Update: 2021-03-03 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/programs/fileio.c ++++ b/programs/fileio.c +@@ -349,7 +349,9 @@ static FILE* FIO_openDstFile(const char* + FIO_remove(dstFileName); + } } + +- { FILE* const f = fopen( dstFileName, "wb" ); ++ { const int old_umask = UTIL_umask(0177); /* u-x,go-rwx */ ++ FILE* const f = fopen( dstFileName, "wb" ); ++ UTIL_umask(old_umask); + if (f == NULL) + DISPLAYLEVEL(1, "zstd: %s: %s\n", dstFileName, strerror(errno)); + return f; +--- a/programs/util.h ++++ b/programs/util.h +@@ -353,6 +353,18 @@ UTIL_STATIC U64 UTIL_getTotalFileSize(co + } + + ++/** ++ * Wraps umask(). Does nothing when the platform doesn't have that concept. ++ */ ++UTIL_STATIC int UTIL_umask(int mode) { ++#if PLATFORM_POSIX_VERSION > 0 ++ return umask(mode); ++#else ++ /* do nothing, fake return value */ ++ return mode; ++#endif ++} ++ + /* + * A modified version of realloc(). + * If UTIL_realloc() fails the original block is freed. diff -Nru libzstd-1.3.3+dfsg/debian/patches/series libzstd-1.3.3+dfsg/debian/patches/series --- libzstd-1.3.3+dfsg/debian/patches/series 2019-08-20 18:19:09.000000000 +0000 +++ libzstd-1.3.3+dfsg/debian/patches/series 2021-03-03 15:48:24.000000000 +0000 @@ -6,3 +6,4 @@ 0011-skip-long-running-tests_on_hurd.patch 0012-typos.patch CVE-2019-11922.patch +0017-fix-file-permissions-on-compression.patch