Package: pxz
Version: 4.999.99~beta3+git659fc9b-2
Tags: security
pxz sets the mode of an output file to be the same as the one of an
input file but does it only after compression is over. This leaves the
output file with the wrong mode during all the time of the compression
process.
Illustration:
$ truncate -s 1G foo
$ chmod 600 foo
$ pxz foo &
[1] 9240
$ ls -l foo.xz
-rw-r--r-- 1 user user 0 Jan 14 00:33 foo.xz
$ wait %
[1]+ Done pxz foo
$ ls -l foo.xz
-rw------- 1 user user 161976 Jan 14 00:33 foo.xz
The issue is similar to
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0296 .
--
Alexander Cherepanov
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
