PublicDateAtUSN: 2021-02-10 00:00:00 UTC
Candidate: CVE-2021-24031
PublicDate: 2021-03-04 21:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24031
 https://ubuntu.com/security/notices/USN-4760-1
Description:
 In the Zstandard command-line utility prior to v1.4.1, output files were
 created with default permissions. Correct file permissions (matching the
 input) would only be set at completion time. Output files could therefore
 be readable or writable to unintended parties.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404
 https://github.com/facebook/zstd/issues/1630
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [5.5 MEDIUM]


Patches_libzstd:
 upstream: https://github.com/facebook/zstd/pull/1644/commits/3968160a916a759c3d3418da533e1b4f8b795343
 upstream: https://github.com/facebook/zstd/pull/1644/commits/af80f6dfacafcc2c916ecd57731107221e1f9986
upstream_libzstd: released (1.4.8+dfsg-1)
precise/esm_libzstd: DNE
trusty_libzstd: ignored (out of standard support)
trusty/esm_libzstd: DNE
xenial_libzstd: ignored (end of standard support, was needs-triage)
esm-infra/xenial_libzstd: needs-triage
bionic_libzstd: released (1.3.3+dfsg-2ubuntu1.2)
focal_libzstd: released (1.4.4+dfsg-3ubuntu0.1)
groovy_libzstd: released (1.4.5+dfsg-4ubuntu0.1)
hirsute_libzstd: not-affected (1.4.8+dfsg-1)
impish_libzstd: not-affected (1.4.8+dfsg-1)
jammy_libzstd: not-affected (1.4.8+dfsg-1)
devel_libzstd: not-affected (1.4.8+dfsg-1)