CVE-2021-24032: Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties. Issue: https://github.com/facebook/zstd/issues/2491 Need to stabilize 1.4.9, if suitable.
hppa stable
amd64 done
x86 done
sparc done
ppc done
ppc64 done
arm64 done
s390 stable
arm done all arches done
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe4310bcbcacb83aa15d13bb28919e6faea0f44b commit fe4310bcbcacb83aa15d13bb28919e6faea0f44b Author: Mikle Kolyada <zlogene@gentoo.org> AuthorDate: 2021-03-31 08:06:20 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2021-03-31 08:06:37 +0000 app-arch/zstd: Security cleanup Bug: https://bugs.gentoo.org/774258 Package-Manager: Portage-3.0.17, Repoman-3.0.2 Signed-off-by: Mikle Kolyada <zlogene@gentoo.org> app-arch/zstd/Manifest | 3 - app-arch/zstd/files/zstd-1.4.4-make43.patch | 60 ------ .../zstd/files/zstd-1.4.4-pkgconfig_libdir.patch | 215 --------------------- app-arch/zstd/files/zstd-1.4.5-fix-uclibc-ng.patch | 28 --- app-arch/zstd/zstd-1.4.4-r4.ebuild | 75 ------- app-arch/zstd/zstd-1.4.5.ebuild | 73 ------- app-arch/zstd/zstd-1.4.8-r1.ebuild | 69 ------- 7 files changed, 523 deletions(-)
GLSA vote: no.