Étienne Mollier pushed to branch debian/stable at Debian Med / libzstd
Commits: 46c35143 by Étienne Mollier at 2021-02-18T13:02:01+01:00 initialize urgency=high team changelog - - - - - 4ef82959 by Étienne Mollier at 2021-02-18T13:15:34+01:00 replace 0017-fix-file-permissions-on-compression.patch This patch is an adaptation of upstream patch to apply against libzstd 1.3.8 shipped in Buster. It replaces the previous patch which incompletely closed the window of the race condition. - - - - - c50e121d by Étienne Mollier at 2021-02-18T13:19:47+01:00 fix Bug-Debian in DEP3 header - - - - - 6fc2d355 by Étienne Mollier at 2021-02-18T14:05:05+01:00 ready for buster-security upload - - - - - b81054f0 by Étienne Mollier at 2021-02-18T14:14:12+01:00 rm fix-file-permissions-on-compression.patch This patch is replaced by the 0017-fix... so not needed anymore. - - - - - 4 changed files: - debian/changelog - + debian/patches/0017-fix-file-permissions-on-compression.patch - − debian/patches/fix-file-permissions-on-compression.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,14 @@ +libzstd (1.3.8+dfsg-3+deb10u2) buster-security; urgency=high + + * Team upload. + * The previous fix-file-permissions-on-compression.patch almost closed the + window of the race condition, but not completely. This patch, adapted from + upstream, 0017-fix-file-permissions-on-compression.patch, replaces the + previous attempt by erasing the umask before opening the destination file. + Closes: #982519 + + -- Étienne Mollier <[email protected]> Thu, 18 Feb 2021 12:59:48 +0100 + libzstd (1.3.8+dfsg-3+deb10u1) buster-security; urgency=high * Team upload. ===================================== debian/patches/0017-fix-file-permissions-on-compression.patch ===================================== @@ -0,0 +1,65 @@ +Description: fix race condition allowing attackers to access destination file + This commit addresses https://github.com/facebook/zstd/issues/2491. + . + Note that a downside of this solution is that it is global: `umask()` affects + all file creation calls in the process. I believe this is safe since + `fileio.c` functions should only ever be used in the zstd binary, and these + are (almost) the only files ever created by zstd, and AIUI they're only + created in a single thread. So we can get away with messing with global state. + . + Note that this doesn't change the permissions of files created by `dibio.c`. + I'm not sure what those should be... +Author: W. Felix Handte <[email protected]> +Origin: upstream +Bug: https://github.com/facebook/zstd/issues/2491 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519 +Applied-Upstream: commit:a774c5797399040af62db21d8a9b9769e005430e +Reviewed-by: Étienne Mollier <[email protected]> +Last-Update: 2021-02-18 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- libzstd.orig/programs/fileio.c ++++ libzstd/programs/fileio.c +@@ -481,7 +481,9 @@ + FIO_remove(dstFileName); + } } + +- { FILE* const f = fopen( dstFileName, "wb" ); ++ { const int old_umask = UTIL_umask(0177); /* u-x,go-rwx */ ++ FILE* const f = fopen( dstFileName, "wb" ); ++ UTIL_umask(old_umask); + if (f == NULL) + DISPLAYLEVEL(1, "zstd: %s: %s\n", dstFileName, strerror(errno)); + return f; +--- libzstd.orig/programs/util.c ++++ libzstd/programs/util.c +@@ -51,6 +51,15 @@ + return 1; + } + ++int UTIL_umask(int mode) { ++#if PLATFORM_POSIX_VERSION > 0 ++ return umask(mode); ++#else ++ /* do nothing, fake return value */ ++ return mode; ++#endif ++} ++ + int UTIL_setFileStat(const char *filename, stat_t *statbuf) + { + int res = 0; +--- libzstd.orig/programs/util.h ++++ libzstd/programs/util.h +@@ -181,6 +181,11 @@ + + U64 UTIL_getTotalFileSize(const char* const * const fileNamesTable, unsigned nbFiles); + ++/** ++ * Wraps umask(). Does nothing when the platform doesn't have that concept. ++ */ ++int UTIL_umask(int mode); ++ + /* + * A modified version of realloc(). + * If UTIL_realloc() fails the original block is freed. ===================================== debian/patches/fix-file-permissions-on-compression.patch deleted ===================================== @@ -1,18 +0,0 @@ ---- libzstd.orig/programs/fileio.c -+++ libzstd/programs/fileio.c -@@ -482,8 +482,14 @@ - } } - - { FILE* const f = fopen( dstFileName, "wb" ); -- if (f == NULL) -+ if (f == NULL) { - DISPLAYLEVEL(1, "zstd: %s: %s\n", dstFileName, strerror(errno)); -+ } else if (srcFileName != NULL -+ && strcmp (srcFileName, stdinmark) -+ && strcmp(dstFileName, nulmark) ) { -+ /* reduce rights on newly created dst file while compression is ongoing */ -+ chmod(dstFileName, 00600); -+ } - return f; - } - } ===================================== debian/patches/series ===================================== @@ -4,4 +4,4 @@ 0014-Reproducible-build.patch 0015-Skip-dev-random-tests-on-hurd.patch 0016-fix-zstdgrep-exit-code.patch -fix-file-permissions-on-compression.patch +0017-fix-file-permissions-on-compression.patch View it on GitLab: https://salsa.debian.org/med-team/libzstd/-/compare/9ecfe50cfaaa071aef968ad7b7e115fab4f8e704...b81054f003d79cff3808932665ee97ec84e443da -- View it on GitLab: https://salsa.debian.org/med-team/libzstd/-/compare/9ecfe50cfaaa071aef968ad7b7e115fab4f8e704...b81054f003d79cff3808932665ee97ec84e443da You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-med-commit mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-med-commit
