Debian Bug report logs - #982519
zstd: Race condition allows attacker to access world-readable destination file

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sebastien Delafond <seb@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: zstd: Race condition allows attacker to access world-readable destination file

Date: Thu, 11 Feb 2021 08:33:58 +0100

Package: zstd
Version: 1.4.8+dfsg-1
Severity: grave
Tags: security
X-Debbugs-Cc: team@security.debian.org

The recently applied patch still creates the file with the default
umask[0], before chmod'ing down to 0600, so an attacker could still open
it in the meantime.

Cheers,

-- 
Seb

[0] https://github.com/facebook/zstd/blob/dev/programs/fileio.c#L682

Message #14 received at 982519@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: wferi@niif.hu, 981404@bugs.debian.org

Cc: 982519@bugs.debian.org

Subject: Re: Bug#981404: Fix seems incomplete

Date: Thu, 11 Feb 2021 16:54:53 +0100

Hi Feri,,

On Thu, Feb 11, 2021 at 11:26:47AM +0100, wferi@niif.hu wrote:
> Hi,
> 
> The patch in this bug report very much shrinks the window of the
> vulnerability, but doesn't close it completely: the file is still
> created with default permissions, then chmodded as a separate step.
> It's hard, but not impossible to still win the race and open the file
> before the chmod, enabling the same attack.  I recommend something like
> 
> fd = open(dstFileName, O_WRONLY|O_CREAT|O_EXCL, 0600);
> if (fd != -1)
>     f = fdopen( fd, "wb" );
> if (fd == -1 || f == NULL)
>     DISPLAYLEVEL(1, "zstd: %s: %s\n", dstFileName, strerror(errno));
> return f;
> 
> for example.

See #982519 respectively https://github.com/facebook/zstd/issues/2491
upstream.

Regards,
Salvatore

Message #19 received at 982519@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Sebastien Delafond <seb@debian.org>, 982519@bugs.debian.org

Subject: Re: Bug#982519: zstd: Race condition allows attacker to access world-readable destination file

Date: Thu, 18 Feb 2021 06:19:29 +0100

On Thu, Feb 11, 2021 at 08:33:58AM +0100, Sebastien Delafond wrote:
> Package: zstd
> Version: 1.4.8+dfsg-1
> Severity: grave
> Tags: security
> X-Debbugs-Cc: team@security.debian.org
> 
> The recently applied patch still creates the file with the default
> umask[0], before chmod'ing down to 0600, so an attacker could still open
> it in the meantime.

FTR, this has been fixed upstream.

https://github.com/facebook/zstd/commit/a774c5797399040af62db21d8a9b9769e005430e

Regards,
Salvatore

Message #24 received at 982519@bugs.debian.org (full text, mbox, reply):

From: Étienne Mollier <etienne.mollier@mailoo.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 982519@bugs.debian.org, seb@debian.org

Subject: [sprint] [RFS] libzstd 1.4.8+dfsg-2

Date: Thu, 18 Feb 2021 11:34:37 +0100

[Message part 1 (text/plain, inline)]

Control: tag -1 pending

Hi Sébastien, Hi Salvatore,

Salvatore Bonaccorso, on 2021-02-18 06:19:29 +0100:
> FTR, this has been fixed upstream.

Thanks the ping, I inlined upstream patch in the next iteration
of libzstd: 1.4.8+dfsg-2.  Upload will occur with urgency=high.
Changes are available on Salsa:

	https://salsa.debian.org/med-team/libzstd

This package will need sponsored upload (unless Nilesh did grant
me upload permissions.  :)

Have a nice day,
-- 
Étienne Mollier <etienne.mollier@mailoo.org>
Fingerprint:  8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
Sent from /dev/pts/1, please excuse my verbosity.

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 982519-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 982519-close@bugs.debian.org

Subject: Bug#982519: fixed in libzstd 1.4.8+dfsg-2

Date: Thu, 18 Feb 2021 11:19:24 +0000

Source: libzstd
Source-Version: 1.4.8+dfsg-2
Done: Étienne Mollier <etienne.mollier@mailoo.org>

We believe that the bug you reported is fixed in the latest version of
libzstd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 982519@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Étienne Mollier <etienne.mollier@mailoo.org> (supplier of updated libzstd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 18 Feb 2021 09:52:53 +0100
Source: libzstd
Architecture: source
Version: 1.4.8+dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Étienne Mollier <etienne.mollier@mailoo.org>
Closes: 982519
Changes:
 libzstd (1.4.8+dfsg-2) unstable; urgency=high
 .
   * Team upload.
   * When a file with restricted permissions is compressed, the resulting file
     inherits the umask of the user for the time of the compression.  This was
     partially mitigated previously by running a change of permissions after a
     `chmod`, but left a small but exploitable window just after the `fopen`.
     This update adds 0018-fix-file-permissions-on-compression.patch to make
     sure the compressed file is not group nor world readable for the _entire_
     duration of the compression.
     Closes: #982519
Checksums-Sha1:
 c03852712749e44d07c52073b0862c74fc536326 2266 libzstd_1.4.8+dfsg-2.dsc
 7ddd022f263593fd1420a20b726988fc4177e566 14644 libzstd_1.4.8+dfsg-2.debian.tar.xz
 3446d20b07dc6f52cfcb4a3abf9b4d7c84c1d104 7398 libzstd_1.4.8+dfsg-2_amd64.buildinfo
Checksums-Sha256:
 956bf60dc6f33a2a1deac7b0323d31e409fa8833f0fad423cede60a96ce73317 2266 libzstd_1.4.8+dfsg-2.dsc
 67cb0e652e9b6f543640b82ff5a5e94460d8e107521af7518e06477aa4df0822 14644 libzstd_1.4.8+dfsg-2.debian.tar.xz
 2bc235602530e434b8811d4732197c1e6878bdfee58e4872f39e1b3936b5595c 7398 libzstd_1.4.8+dfsg-2_amd64.buildinfo
Files:
 c4b5c38975d04467ae5b9b564770a6bf 2266 libs optional libzstd_1.4.8+dfsg-2.dsc
 908f01d234189534d8661d8a2c2f77c1 14644 libs optional libzstd_1.4.8+dfsg-2.debian.tar.xz
 afbf6a443b713102575837d428704b1e 7398 libs optional libzstd_1.4.8+dfsg-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmAuPdQACgkQeTz2fo8N
Edq5kw//bMU9RNODi4Vn/LQwx38j13P+uirwvPM7+BKbq1v3Gr4FBdogbCZarChM
aMnQ5BDMFGThZaW69GXrGEEZB/EuhIbwNWH3tBpbAEYLlz7vfg5JlmVNW/WxhifR
/l05ZAUzix0wx6fFfM11tVXDX0Tjr/pa60aNnbw3Bu2tJrjuLR0foh8iSyLHSDsf
jjRBrf7OtRV2X8d7r5xOUuHkmVXyGV3Bp5g8yhrSBGIW/9kjXRrcOUbUXTb7lca6
tmAgRnXAfAK1+GCPYMelJANRTjSVKEXcEArlIKKkXWLqdclRLcpHDEA5flXceoGx
bNtooNwEPZCuYak7BDq4US8C0Wsn3sP3Fmolzuwo4+Vw7DCXcDRSoQuupHj2qRJC
otlCJcTP1cr2rHGlSzzfHCK8cIuH8TgkOqsRu7zmKA1i4B5l1NRdYvI4T2Lcm1og
/SITL57mlqnwqtpSrXOT48nuH7k9Gi1he6r6B98e/YSuW5YEeJ6+ULyDYGrtC0EL
QL3avVLUQi0PMCwHupI6+zaGqPu3pdSO//A3YsE6cmNobeb3Ywax3/Za6SfDKdQh
K+GYAK0tj4JTd4lvR4y2gZkZNHCYUKm8NSK68+ttQwB/3mxTdPan5AJ2RrH7Sz7M
0M+dSq/FxNQM60WnSaVFXcVDkOVNAbA/XGJg3isDgM+WBODAgIU=
=urmZ
-----END PGP SIGNATURE-----

Message #40 received at 982519@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <t.glaser@tarent.de>

To: "W. Felix Handte" <w@felixhandte.com>

Cc: Salvatore Bonaccorso <carnil@debian.org>, Sebastien Delafond <seb@debian.org>, 982519@bugs.debian.org

Subject: Re: Bug#982519: zstd: Race condition allows attacker to access world-readable destination file

Date: Thu, 18 Feb 2021 19:23:59 +0100 (CET)

On Thu, 18 Feb 2021, Salvatore Bonaccorso wrote:
> On Thu, Feb 11, 2021 at 08:33:58AM +0100, Sebastien Delafond wrote:

> > The recently applied patch still creates the file with the default
> > umask[0], before chmod'ing down to 0600, so an attacker could still open
> > it in the meantime.
>
> FTR, this has been fixed upstream.
>
> https://github.com/facebook/zstd/commit/a774c5797399040af62db21d8a9b9769e005430e

| Note that a downside of this solution is that it is global: `umask()` affects
| all file creation calls in the process. I believe this is safe since
| […] thread […]

Why don’t you use a nōn-global solution then?

Instead of fopen(…) do an open(…, 0600) followed by fdopen().

bye,
//mirabilos
-- 
Sometimes they [people] care too much: pretty printers [and syntax highligh-
ting, d.A.] mechanically produce pretty output that accentuates irrelevant
detail in the program, which is as sensible as putting all the prepositions
in English text in bold font.	-- Rob Pike in "Notes on Programming in C"

Message #45 received at 982519-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 982519-close@bugs.debian.org

Subject: Bug#982519: fixed in libzstd 1.3.8+dfsg-3+deb10u2

Date: Wed, 24 Feb 2021 17:32:41 +0000

Source: libzstd
Source-Version: 1.3.8+dfsg-3+deb10u2
Done: Étienne Mollier <etienne.mollier@mailoo.org>

We believe that the bug you reported is fixed in the latest version of
libzstd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 982519@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Étienne Mollier <etienne.mollier@mailoo.org> (supplier of updated libzstd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 18 Feb 2021 12:59:48 +0100
Source: libzstd
Architecture: source
Version: 1.3.8+dfsg-3+deb10u2
Distribution: buster-security
Urgency: high
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Étienne Mollier <etienne.mollier@mailoo.org>
Closes: 982519
Changes:
 libzstd (1.3.8+dfsg-3+deb10u2) buster-security; urgency=high
 .
   * Team upload.
   * The previous fix-file-permissions-on-compression.patch almost closed the
     window of the race condition, but not completely.  This patch, adapted from
     upstream, 0017-fix-file-permissions-on-compression.patch, replaces the
     previous attempt by erasing the umask before opening the destination file.
     Closes: #982519
Checksums-Sha1:
 03d81ebef581456fe05ed1b29c04b7a246397e31 1947 libzstd_1.3.8+dfsg-3+deb10u2.dsc
 15d166c14fb22f550ae877780e7df4181db3db99 11648 libzstd_1.3.8+dfsg-3+deb10u2.debian.tar.xz
 59e9ea6e541e66619ccd623c803bff02a73fa9d2 7283 libzstd_1.3.8+dfsg-3+deb10u2_amd64.buildinfo
Checksums-Sha256:
 572fae1c7dc9bace3b9f7fcdeabf30dd1d00d0462e319ccec7b58b0adbf7dc85 1947 libzstd_1.3.8+dfsg-3+deb10u2.dsc
 1f107f6cdc3bf46fb2aebf9c5c997ed2a125ac2fb1d28e939da857d5b061079e 11648 libzstd_1.3.8+dfsg-3+deb10u2.debian.tar.xz
 4a9e21b3a79b55dc746cc49e73a071dcecc0dc72d337c1b7d7ea1e5d2cd5eeb5 7283 libzstd_1.3.8+dfsg-3+deb10u2_amd64.buildinfo
Files:
 0b2a0be995c017b99e7127727983a08f 1947 libs optional libzstd_1.3.8+dfsg-3+deb10u2.dsc
 e89a2db50691a011ba72efe6b207f8fc 11648 libs optional libzstd_1.3.8+dfsg-3+deb10u2.debian.tar.xz
 dedf0ea07aeba086357e2f1cc5529d47 7283 libs optional libzstd_1.3.8+dfsg-3+deb10u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmAvkY4ACgkQEL6Jg/PV
nWSsCwf/RC+pOALg8V4rP3nRB9z8mkQ9UB+5jdge8iOgI8AYJquWPtgj9OElh+eF
Sf/hFRA8dbaE/vK0ytoTvPUHQftI+tSgkwsRFrvSA33jUrU+LziRsYy8ruBHSQ1j
c/E2oskPswzDN3OCwWMjNYMzmmRg0w1z9BsiFDSMpTN1C1BCncL8qXiTBbL3OT8n
msJpxQC8jyomZvtymB9rgqRgJqJcyg2WZTmtZhBUXOQb/GsVeDSUhTI8SDYG6KrW
NCpqC4N3Q1ECaFWA9TJJJyqOlK2TWf6IUi8MC2Pko0xqE75GOZj92fl9vBUCsVgR
W3q6cPwPXRAXrHXXZpotKBwPseY4Vw==
=aPXH
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.