1183370 – (CVE-2021-24032) VUL-0: CVE-2021-24032: zstd: Race condition allows attacker to access world-readable destination file

Bug 1183370 (CVE-2021-24032) - VUL-0: CVE-2021-24032: zstd: Race condition allows attacker to access world-readable destination file

Summary: VUL-0: CVE-2021-24032: zstd: Race condition allows attacker to access world-r...

Status:	RESOLVED FIXED

Alias:	CVE-2021-24032

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Ali Abdallah
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/278912/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-24032:6.2:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2021-03-11 10:40 UTC by Robert Frohl
Modified:	2021-08-06 12:36 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2021-03-11 10:40:13 UTC

rh#1928090

While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).

References:

https://github.com/facebook/zstd/issues/2491
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519
https://github.com/facebook/zstd/issues/1630
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1928090
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24032
https://access.redhat.com/security/cve/CVE-2021-24032
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24032
https://github.com/facebook/zstd/issues/2491
https://www.facebook.com/security/advisories/cve-2021-24032
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519

Comment 1 Robert Frohl 2021-03-11 10:53:32 UTC

patch for this one CVE-2021-24032:
https://github.com/facebook/zstd/pull/2495/files

Comment 2 Robert Frohl 2021-03-11 11:34:04 UTC

tracking as affected:

SUSE:SLE-15:Update/zstd

Comment 5 Swamp Workflow Management 2021-03-24 17:16:54 UTC

SUSE-SU-2021:0948-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1183370,1183371
CVE References: CVE-2021-24031,CVE-2021-24032
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    zstd-1.4.4-1.6.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    zstd-1.4.4-1.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Swamp Workflow Management 2021-03-27 23:17:53 UTC

openSUSE-SU-2021:0481-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1183370,1183371
CVE References: CVE-2021-24031,CVE-2021-24032
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    zstd-1.4.4-lp152.2.3.1