Bugzilla – Bug 1183371
VUL-0: CVE-2021-24031: zstd: adds read permissions to files while being compressed or uncompressed
Last modified: 2021-08-06 12:36:30 UTC
rh#1934852 While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled). References: https://github.com/facebook/zstd/issues/2491 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519 https://github.com/facebook/zstd/issues/1630 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404 References: https://bugzilla.redhat.com/show_bug.cgi?id=1934852 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24031 https://access.redhat.com/security/cve/CVE-2021-24031 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24031 https://github.com/facebook/zstd/issues/1630 https://www.facebook.com/security/advisories/cve-2021-24031 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404
fixes: https://github.com/facebook/zstd/pull/1644/files and maybe: https://github.com/facebook/zstd/pull/2525/files
(In reply to Robert Frohl from comment #1) > fixes: > https://github.com/facebook/zstd/pull/1644/files My take is that this patch gets superseded by the fix for CVE-2021-24032/bsc#1183370 > and maybe: > https://github.com/facebook/zstd/pull/2525/files Looks like a good hardening, maybe we can take this one too.
tracking as affected: SUSE:SLE-15:Update/zstd
(In reply to Robert Frohl from comment #2) > (In reply to Robert Frohl from comment #1) > > fixes: > > https://github.com/facebook/zstd/pull/1644/files > > My take is that this patch gets superseded by the fix for > CVE-2021-24032/bsc#1183370 Yep > > and maybe: > > https://github.com/facebook/zstd/pull/2525/files > > Looks like a good hardening, maybe we can take this one too. Yes it looks good to me, but It is not yet merged upstream.
(In reply to Robert Frohl from comment #1) > fixes: > https://github.com/facebook/zstd/pull/1644/files We already have the two commits of PR 1644 that presumably fix CVE-2021-24031. We are only affected by CVE-2021-24032, which says basically that fixes for CVE-2021-24031 are not enough and one can still exploit a race to access world-readable destination file. I suggest to close this bug and continue on bug 1183370 to backport PR:2495 [1]. Concerning PR:2525 [2], it supersedes PR:2495 and provides a better hardening, but it is not yet reviewed and merged, and it is less trivial to backport. I would leave it and take PR:2495 that fixes both CVE-2021-24031 and CVE-2021-24032 for he moment. [1] https://github.com/facebook/zstd/pull/2495/files [2] https://github.com/facebook/zstd/pull/2525/files
SUSE-SU-2021:0948-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1183370,1183371 CVE References: CVE-2021-24031,CVE-2021-24032 JIRA References: Sources used: SUSE MicroOS 5.0 (src): zstd-1.4.4-1.6.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): zstd-1.4.4-1.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0481-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1183370,1183371 CVE References: CVE-2021-24031,CVE-2021-24032 JIRA References: Sources used: openSUSE Leap 15.2 (src): zstd-1.4.4-lp152.2.3.1