Bug 28444

Debian has issued an advisory on February 20:
https://www.debian.org/security/2021/dsa-4859

The initial fix, both upstream and in Debian, was insufficient, so Mageia 8 is also affected.

Status comment: (none) => Patches available from upstream and Debian
Summary: zstd creates compressed files with incorrect permissions (bdo#981404) => zstd creates compressed files with incorrect permissions (bdo#981404, bdo#982519)
Version: 7 => 8
Whiteboard: (none) => MGA7TOO

Thierry looks the best person for this.

Assignee: bugsquad => thierry.vignaud

There are CVEs for this.

Ubuntu has issued an advisory for this on March 8:
https://ubuntu.com/security/notices/USN-4760-1

Summary: zstd creates compressed files with incorrect permissions (bdo#981404, bdo#982519) => zstd creates compressed files with incorrect permissions (CVE-2021-2403[12])
Severity: normal => major

Advisory (Mageia 7):
========================

Updated zstd packages fix security vulnerability:

In the Zstandard command-line utility prior to v1.4.1, output files were
created with default permissions. Correct file permissions (matching the input)
would only be set at completion time. Output files could therefore be readable
or writable to unintended parties (CVE-2021-24031).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24031
https://ubuntu.com/security/notices/USN-4760-1


Advisory (Mageia 8):
========================

Updated zstd packages fix security vulnerability:

Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for
CVE-2021-24031, the Zstandard command-line utility created output files with
default permissions and restricted those permissions immediately afterwards.
Output files could therefore momentarily be readable or writable to unintended
parties (CVE-2021-24032).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24032
https://ubuntu.com/security/notices/USN-4760-1
========================

Updated packages in core/updates_testing:
========================
zstd-1.4.0-1.1.mga7
libzstd1-1.4.0-1.1.mga7
libzstd-devel-1.4.0-1.1.mga7
zstd-1.4.8-1.1.mga8
lib64zstd1-1.4.8-1.1.mga8
lib64zstd-devel-1.4.8-1.1.mga8

from SRPMS:
zstd-1.4.0-1.1.mga7.src.rpm
zstd-1.4.8-1.1.mga8.src.rpm

Status comment: Patches available from upstream and Debian => (none)
Assignee: pkg-bugs => qa-bugs

Installed and tested without issues.

I don't have existing zstd compressed files so I created some and used those to test all zstd* binaries.

Tested:
- compress, decrompres, compare;
- single and multithreaded compression;
- zstdcat, zstdgrep, zstdless;
- tested through tar.



$ uname -a
Linux marte 5.10.45-desktop-2.mga7 #1 SMP Sat Jun 19 15:58:30 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep zstd | sort
lib64zstd1-1.4.0-1.1.mga7
libzstd1-1.4.0-1.1.mga7
zstd-1.4.0-1.1.mga7

CC: (none) => mageia

Since the end-of-support for Mageia 7 is approaching, I'm giving this update an OK for x86_64 based on comment 5.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

rsync uses this library to do zstd compress with --compress=zstd, so I used it to download the VERSION file from my local Cauldron mirror before and after the update.

$ rsync -av --compress=zstd rsync://<servername>/mageia/distrib/cauldron/i586/VERSION .
$ cat VERSION 
Mageia 9 Devel-i586-Download 20210707 21:53
$ rm VERSION

Same results before and after.  Done on Mageia 8 x86_64.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Validating.

CC: (none) => ouaurelien, sysadmin-bugs
Keywords: (none) => advisory, validated_update
CVE: (none) => CVE-2021-24031, CVE-2021-24032

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0322.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0323.html