PublicDateAtUSN: 2021-02-20 00:00:00 UTC
Candidate: CVE-2021-24032
PublicDate: 2021-03-04 21:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24032
 https://ubuntu.com/security/notices/USN-4760-1
Description:
 Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for
 CVE-2021-24031, the Zstandard command-line utility created output files
 with default permissions and restricted those permissions immediately
 afterwards. Output files could therefore momentarily be readable or
 writable to unintended parties.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519
 https://github.com/facebook/zstd/issues/2491
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N [4.7 MEDIUM]


Patches_libzstd:
 upstream: https://github.com/felixhandte/zstd/commit/a774c5797399040af62db21d8a9b9769e005430e
upstream_libzstd: released (1.4.8+dfsg-2)
precise/esm_libzstd: DNE
trusty_libzstd: ignored (out of standard support)
trusty/esm_libzstd: DNE
xenial_libzstd: ignored (end of standard support, was needs-triage)
esm-infra/xenial_libzstd: needs-triage
bionic_libzstd: released (1.3.3+dfsg-2ubuntu1.2)
focal_libzstd: released (1.4.4+dfsg-3ubuntu0.1)
groovy_libzstd: released (1.4.5+dfsg-4ubuntu0.1)
hirsute_libzstd: released (1.4.8+dfsg-2build1)
impish_libzstd: released (1.4.8+dfsg-2build1)
jammy_libzstd: released (1.4.8+dfsg-2build1)
devel_libzstd: released (1.4.8+dfsg-2build1)