On Thu, Feb 11, 2021 at 08:33:58AM +0100, Sebastien Delafond wrote: > Package: zstd > Version: 1.4.8+dfsg-1 > Severity: grave > Tags: security > X-Debbugs-Cc: t...@security.debian.org > > The recently applied patch still creates the file with the default > umask[0], before chmod'ing down to 0600, so an attacker could still open > it in the meantime.
FTR, this has been fixed upstream. https://github.com/facebook/zstd/commit/a774c5797399040af62db21d8a9b9769e005430e Regards, Salvatore