Étienne Mollier pushed to branch master at Debian Med / libzstd
Commits: 493cea9a by Étienne Mollier at 2021-02-18T09:17:30+01:00 initialize changelog - - - - - 9f3819d8 by Étienne Mollier at 2021-02-18T09:25:52+01:00 add 0018-fix-file-permissions-on-compression.patch - - - - - fc8a0342 by Étienne Mollier at 2021-02-18T09:54:28+01:00 ready to upload to unstable (urgency=high) - - - - - a5dc7a36 by Étienne Mollier at 2021-02-18T10:58:51+01:00 patch header dep3 - - - - - 7ba50761 by Étienne Mollier at 2021-02-18T11:04:41+01:00 clarified log entry - - - - - 3 changed files: - debian/changelog - + debian/patches/0018-fix-file-permissions-on-compression.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,17 @@ +libzstd (1.4.8+dfsg-2) unstable; urgency=high + + * Team upload. + * When a file with restricted permissions is compressed, the resulting file + inherits the umask of the user for the time of the compression. This was + partially mitigated previously by running a change of permissions after a + `chmod`, but left a small but exploitable window just after the `fopen`. + This update adds 0018-fix-file-permissions-on-compression.patch to make + sure the compressed file is not group nor world readable for the _entire_ + duration of the compression. + Closes: #982519 + + -- Étienne Mollier <[email protected]> Thu, 18 Feb 2021 09:52:53 +0100 + libzstd (1.4.8+dfsg-1) unstable; urgency=medium * New upstream version 1.4.8+dfsg, Closes: #977829 ===================================== debian/patches/0018-fix-file-permissions-on-compression.patch ===================================== @@ -0,0 +1,81 @@ +Description: fix race condition allowing attackers to access destination file + This commit addresses https://github.com/facebook/zstd/issues/2491. + . + Note that a downside of this solution is that it is global: `umask()` affects + all file creation calls in the process. I believe this is safe since + `fileio.c` functions should only ever be used in the zstd binary, and these + are (almost) the only files ever created by zstd, and AIUI they're only + created in a single thread. So we can get away with messing with global state. + . + Note that this doesn't change the permissions of files created by `dibio.c`. + I'm not sure what those should be... +Author: W. Felix Handte <[email protected]> +Origin: upstream +Bug: https://github.com/facebook/zstd/issues/2491 +Bug-Debian: https://github.com/facebook/zstd/issues/2491 +Applied-Upstream: commit:a774c5797399040af62db21d8a9b9769e005430e +Reviewed-by: Étienne Mollier <[email protected]> +Last-Update: 2021-02-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- libzstd.orig/programs/fileio.c ++++ libzstd/programs/fileio.c +@@ -675,14 +675,11 @@ + FIO_removeFile(dstFileName); + } } + +- { FILE* const f = fopen( dstFileName, "wb" ); ++ { const int old_umask = UTIL_umask(0177); /* u-x,go-rwx */ ++ FILE* const f = fopen( dstFileName, "wb" ); ++ UTIL_umask(old_umask); + if (f == NULL) { + DISPLAYLEVEL(1, "zstd: %s: %s\n", dstFileName, strerror(errno)); +- } else if (srcFileName != NULL +- && strcmp (srcFileName, stdinmark) +- && strcmp(dstFileName, nulmark) ) { +- /* reduce rights on newly created dst file while compression is ongoing */ +- UTIL_chmod(dstFileName, NULL, 00600); + } + return f; + } +--- libzstd.orig/programs/util.c ++++ libzstd/programs/util.c +@@ -159,6 +159,15 @@ + return chmod(filename, permissions); + } + ++int UTIL_umask(int mode) { ++#if PLATFORM_POSIX_VERSION > 0 ++ return umask(mode); ++#else ++ /* do nothing, fake return value */ ++ return mode; ++#endif ++} ++ + int UTIL_setFileStat(const char *filename, const stat_t *statbuf) + { + int res = 0; +--- libzstd.orig/programs/util.h ++++ libzstd/programs/util.h +@@ -22,7 +22,7 @@ + #include "platform.h" /* PLATFORM_POSIX_VERSION, ZSTD_NANOSLEEP_SUPPORT, ZSTD_SETPRIORITY_SUPPORT */ + #include <stddef.h> /* size_t, ptrdiff_t */ + #include <sys/types.h> /* stat, utime */ +-#include <sys/stat.h> /* stat, chmod */ ++#include <sys/stat.h> /* stat, chmod, umask */ + #include "../lib/common/mem.h" /* U64 */ + + +@@ -152,6 +152,11 @@ + */ + int UTIL_chmod(char const* filename, const stat_t* statbuf, mode_t permissions); + ++/** ++ * Wraps umask(). Does nothing when the platform doesn't have that concept. ++ */ ++int UTIL_umask(int mode); ++ + /* + * In the absence of a pre-existing stat result on the file in question, these + * functions will do a stat() call internally and then use that result to ===================================== debian/patches/series ===================================== @@ -4,3 +4,4 @@ 0014-Reproducible-build.patch 0015-Skip-dev-random-tests-on-hurd.patch 0017-alpha-fbfs-st_mtime.patch +0018-fix-file-permissions-on-compression.patch View it on GitLab: https://salsa.debian.org/med-team/libzstd/-/compare/a4fc318f32484bd45316d80a5b4a87c3f640c293...7ba507613501e6bcc6b8c6c2506d7e198d6ccd30 -- View it on GitLab: https://salsa.debian.org/med-team/libzstd/-/compare/a4fc318f32484bd45316d80a5b4a87c3f640c293...7ba507613501e6bcc6b8c6c2506d7e198d6ccd30 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-med-commit mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-med-commit
