Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: libarchive #1054

Closed
vbatts opened this issue Jun 2, 2023 · 1 comment
Closed

update: libarchive #1054

vbatts opened this issue Jun 2, 2023 · 1 comment
Labels
advisory security advisory cvss/MEDIUM >= 4 && < 7 assessed CVSS security security concerns

Comments

@vbatts
Copy link
Member

vbatts commented Jun 2, 2023
edited by dongsupark
Loading

Name: libarchive
CVEs: CVE-2023-30571
CVSSs: 5.3
Action Needed: TBD

Summary: Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories.

See also https://bugzilla.redhat.com/show_bug.cgi?id=2210921, libarchive/libarchive#1876.

refmap.gentoo:
@vbatts vbatts added advisory security advisory security security concerns labels Jun 2, 2023
@dongsupark dongsupark moved this from 📝 Needs Triage to 🪵Backlog in Flatcar tactical, release planning, and roadmap Jun 15, 2023
@dongsupark dongsupark added the cvss/MEDIUM >= 4 && < 7 assessed CVSS label Jun 27, 2023
@dongsupark
Copy link
Member

This issue seems not to be fixed upstream.
See discussions of libarchive/libarchive#1876.
Relevant documentation was already done in libarchive/libarchive#1875.

@github-actions github-actions bot mentioned this issue Nov 10, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
advisory security advisory cvss/MEDIUM >= 4 && < 7 assessed CVSS security security concerns
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vbatts @dongsupark