Bug#981404: Fix seems incomplete

2021-02-11 Thread Salvatore Bonaccorso 
Hi Feri,,

On Thu, Feb 11, 2021 at 11:26:47AM +0100, wf...@niif.hu wrote:
> Hi,
> 
> The patch in this bug report very much shrinks the window of the
> vulnerability, but doesn't close it completely: the file is still
> created with default permissions, then chmodded as a separate step.
> It's hard, but not impossible to still win the race and open the file
> before the chmod, enabling the same attack.  I recommend something like
> 
> fd = open(dstFileName, O_WRONLY|O_CREAT|O_EXCL, 0600);
> if (fd != -1)
> f = fdopen( fd, "wb" );
> if (fd == -1 || f == NULL)
> DISPLAYLEVEL(1, "zstd: %s: %s\n", dstFileName, strerror(errno));
> return f;
> 
> for example.

See #982519 respectively https://github.com/facebook/zstd/issues/2491
upstream.

Regards,
Salvatore

Bug#981404: Fix seems incomplete

2021-02-11 Thread wferi 
Hi,

The patch in this bug report very much shrinks the window of the
vulnerability, but doesn't close it completely: the file is still
created with default permissions, then chmodded as a separate step.
It's hard, but not impossible to still win the race and open the file
before the chmod, enabling the same attack.  I recommend something like

fd = open(dstFileName, O_WRONLY|O_CREAT|O_EXCL, 0600);
if (fd != -1)
f = fdopen( fd, "wb" );
if (fd == -1 || f == NULL)
DISPLAYLEVEL(1, "zstd: %s: %s\n", dstFileName, strerror(errno));
return f;

for example.
-- 
Regards,
Feri