-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
zstd adds read permissions to files while being compressed or uncompressed #1630
Comments
It's necessary to grant write access while modifying the file. A solution could be to enforce |
This is indeed a good solution. |
Setting x00 rights will break applications that are reading from the source... |
Mind elaborating? We are only talking about the temporary file that is being written to, and setting said file back to the original's mode. This temporary file isn't intended to be read by anything. |
I’ve overlooked that detail, you are right, shouldn’t be a problem |
Hi,
Would this issue potentially warrant a CVE to be assigned? According to https://cve.mitre.org/cve/request_id.html#cna_participants I guess this would fall into beeing assigned by the Facebook CNA? |
Hi! also wondering if this would warrant a CVE being assigned. We're considering such at Red Hat. So then we have this new, but related issue. Do you support Red Hat assigning a CVE, or should we treat it as a bug? |
@stacifractals I do not think (or let's say suspect) that Red Hat CNA is allowed to assign CVEs here. I was for that in contact with MITRE and it looks that Facebook CNA is responsible to assign CVEs here. We tried to reach out, but unsuccessful yet (because it will need to have a Facebook account for reporting that). It will for sure need two CVEs. One for the original issue #1630 and one for #2491 as it was incomplete fix for the former. In case you still consider Red Hat to assign two CVEs, we at least would appreciate to have two, given we released already two advisories (https://lists.debian.org/debian-security-announce/2021/msg00031.html and https://lists.debian.org/debian-security-announce/2021/msg00040.html), but then please check with MITRE CNA. As said I got clear indication here that the CVE responsibility is here on Facebook CNA. Hope this helps. |
Hi @stacifractals and @carnil, I'm discussing with folks internally how to get the ball rolling on issuing CVEs for these. I'll provide updates as that proceeds. |
We are preparing a release of Zstandard with #2495 which will go out soon as v1.4.9. We've allocated CVE-2021-24031 for #1630 and CVE-2021-24032 for #2491. |
Thanks so much! I'll update our internal team here. |
Thank you @felixhandte |
Final update on this topic: these CVEs have been published. |
While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).
Example:
file
has mode 600 ->zstd file
->file.zst
has mode 644 while compression is happening. (Same happens withunzstd file.zst
andfile
)The text was updated successfully, but these errors were encountered: