From ${URL} : It was reported [1] that pxz sets the mode of an output file to be the same as the one of an input file but does it only after compression is over. This leaves the output file with the wrong mode during all the time of the compression process. Illustration: $ truncate -s 1G foo $ chmod 600 foo $ pxz foo & [1] 9240 $ ls -l foo.xz -rw-r--r-- 1 user user 0 Jan 14 00:33 foo.xz $ wait % [1]+ Done pxz foo $ ls -l foo.xz -rw------- 1 user user 161976 Jan 14 00:33 foo.xz The issue is similar to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0296 [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775306 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
CVE-2015-1200 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1200): Race condition in pxz 4.999.99 Beta 3 uses weak file permissions for the output file when compressing a file before changing the permission to match the original file, which allows local users to bypass the intended access restrictions.
app-arch/pxz-5.0_pre20110811 is in tree which mitigates this vulnerability. All vulnerable versions removed. GLSA Vote: No
