Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore CVE-2023-30571 #8065

Merged
merged 1 commit into from
Jun 20, 2023
Merged

Ignore CVE-2023-30571 #8065

merged 1 commit into from
Jun 20, 2023

Conversation

directionless
Copy link
Member

Fixes: #8049

As discussed in offices today (2023-06-20) we do not think osquery is vulnerable to this. From the description:

Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories.

Osquery does not unpack files, so we do not believe this effects us.

Furthermore, there is not yet an upstream fix, and this appears limited to multithreaded environments.

See Also:

@directionless
Ignore CVE-2023-30571
b16f674 
Fixes: osquery#8049

As discussed in offices today (2023-06-20) we do not think osquery
is vulnerable to this. From the description:
> Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories.

Osquery does not unpack files, so we do not believe this effects us.

Furthermore, there is not yet an upstream fix, and this appears
limited to multithreaded environments.
@directionless directionless requested review from a team as code owners June 20, 2023 19:13
Smjert
Smjert approved these changes Jun 20, 2023
View reviewed changes
Copy link
Member

@Smjert Smjert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@Smjert Smjert added libraries For things referring to osquery third party libraries security cve labels Jun 20, 2023
@directionless directionless merged commit 2e34958 into osquery:master Jun 20, 2023
16 checks passed
@directionless directionless deleted the seph/ignore-CVE-2023-30571 branch June 20, 2023 21:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Smjert Smjert Smjert approved these changes

Assignees
No one assigned
Labels
cve libraries For things referring to osquery third party libraries security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Library libarchive has vulnerability CVE-2023-30571
2 participants
@directionless @Smjert