Debian has issued an advisory on February 10: https://www.debian.org/security/2021/dsa-4850 There is discussion of the issue and fix in the Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404
Debian has issued an advisory on February 20: https://www.debian.org/security/2021/dsa-4859 The initial fix, both upstream and in Debian, was insufficient, so Mageia 8 is also affected.
Status comment: (none) => Patches available from upstream and DebianSummary: zstd creates compressed files with incorrect permissions (bdo#981404) => zstd creates compressed files with incorrect permissions (bdo#981404, bdo#982519)Version: 7 => 8Whiteboard: (none) => MGA7TOO
Thierry looks the best person for this.
Assignee: bugsquad => thierry.vignaud
There are CVEs for this. Ubuntu has issued an advisory for this on March 8: https://ubuntu.com/security/notices/USN-4760-1
Summary: zstd creates compressed files with incorrect permissions (bdo#981404, bdo#982519) => zstd creates compressed files with incorrect permissions (CVE-2021-2403[12])Severity: normal => major
CC: (none) => thierry.vignaudAssignee: thierry.vignaud => pkg-bugs
Advisory (Mageia 7): ======================== Updated zstd packages fix security vulnerability: In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties (CVE-2021-24031). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24031 https://ubuntu.com/security/notices/USN-4760-1 Advisory (Mageia 8): ======================== Updated zstd packages fix security vulnerability: Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties (CVE-2021-24032). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24032 https://ubuntu.com/security/notices/USN-4760-1 ======================== Updated packages in core/updates_testing: ======================== zstd-1.4.0-1.1.mga7 libzstd1-1.4.0-1.1.mga7 libzstd-devel-1.4.0-1.1.mga7 zstd-1.4.8-1.1.mga8 lib64zstd1-1.4.8-1.1.mga8 lib64zstd-devel-1.4.8-1.1.mga8 from SRPMS: zstd-1.4.0-1.1.mga7.src.rpm zstd-1.4.8-1.1.mga8.src.rpm
Status comment: Patches available from upstream and Debian => (none)Assignee: pkg-bugs => qa-bugs
Installed and tested without issues. I don't have existing zstd compressed files so I created some and used those to test all zstd* binaries. Tested: - compress, decrompres, compare; - single and multithreaded compression; - zstdcat, zstdgrep, zstdless; - tested through tar. $ uname -a Linux marte 5.10.45-desktop-2.mga7 #1 SMP Sat Jun 19 15:58:30 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep zstd | sort lib64zstd1-1.4.0-1.1.mga7 libzstd1-1.4.0-1.1.mga7 zstd-1.4.0-1.1.mga7
CC: (none) => mageia
Since the end-of-support for Mageia 7 is approaching, I'm giving this update an OK for x86_64 based on comment 5.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
rsync uses this library to do zstd compress with --compress=zstd, so I used it to download the VERSION file from my local Cauldron mirror before and after the update. $ rsync -av --compress=zstd rsync://<servername>/mageia/distrib/cauldron/i586/VERSION . $ cat VERSION Mageia 9 Devel-i586-Download 20210707 21:53 $ rm VERSION Same results before and after. Done on Mageia 8 x86_64.
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating.
CC: (none) => ouaurelien, sysadmin-bugsKeywords: (none) => advisory, validated_updateCVE: (none) => CVE-2021-24031, CVE-2021-24032
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0322.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0323.html