dgit.raspbian.org Git - libzstd.git/log

W. Felix Handte [Thu, 18 Feb 2021 11:59:48 +0000 (11:59 +0000)]

fix race condition allowing attackers to access destination file

Origin: upstream
Bug: https://github.com/facebook/zstd/issues/2491
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519
Applied-Upstream: commit:a774c5797399040af62db21d8a9b9769e005430e
Reviewed-by: Étienne Mollier <etienne.mollier@mailoo.org>
Last-Update: 2021-02-18

This commit addresses https://github.com/facebook/zstd/issues/2491.

Note that a downside of this solution is that it is global: `umask()` affects
all file creation calls in the process. I believe this is safe since
`fileio.c` functions should only ever be used in the zstd binary, and these
are (almost) the only files ever created by zstd, and AIUI they're only
created in a single thread. So we can get away with messing with global state.

Note that this doesn't change the permissions of files created by `dibio.c`.
I'm not sure what those should be...
Last-Update: 2021-02-18
Gbp-Pq: Name 0017-fix-file-permissions-on-compression.patch

commit | commitdiff | tree

Jörg-Volker Peetz [Thu, 18 Feb 2021 11:59:48 +0000 (11:59 +0000)]

Fix zstdgrep exit code when operating on files

Forwarded: https://github.com/facebook/zstd/issues/1428

Gbp-Pq: Name 0016-fix-zstdgrep-exit-code.patch

commit | commitdiff | tree

Alex Mestiashvili [Thu, 18 Feb 2021 11:59:48 +0000 (11:59 +0000)]

Skip test failing on GNU/Hurd when writing on /dev/zero or

/dev/random. On different GNU/Hurd installations writing to either one or
another would fail. Currently writing to /dev/random results in the message
"Computer bought the farm" and exit status 1
See also: https://github.com/facebook/zstd/issues/1116

Gbp-Pq: Name 0015-Skip-dev-random-tests-on-hurd.patch

commit | commitdiff | tree

Chris Lamb [Thu, 18 Feb 2021 11:59:48 +0000 (11:59 +0000)]

Make the build reproducible

Last-Update: 2018-05-04
Applied-Upstream: https://github.com/facebook/zstd/commit/ef1abd3c071ce42a457404ee2bca6d5bebb87f62

Gbp-Pq: Name 0014-Reproducible-build.patch

commit | commitdiff | tree

Alex Mestiashvili [Thu, 18 Feb 2021 11:59:48 +0000 (11:59 +0000)]

Skip memory heavy tests causing FTBFS on mips(el) and hurd buildds

Gbp-Pq: Name 0013-skip-memory-greedy-tests.patch

commit | commitdiff | tree

Sascha Steinbiss [Thu, 18 Feb 2021 11:59:48 +0000 (11:59 +0000)]

Do not build zlibWrapper examples against embedded code copies.

Gbp-Pq: Name 0008-Address-embedded-zlib.patch

commit | commitdiff | tree

Kevin Murray [Mon, 14 Nov 2016 00:54:32 +0000 (11:54 +1100)]

Use bash for test script portablitity

Gbp-Pq: Name 0006-Use-bash-for-test-script-portablitity.patch

commit | commitdiff | tree

Étienne Mollier [Thu, 18 Feb 2021 11:59:48 +0000 (11:59 +0000)]

libzstd (1.3.8+dfsg-3+deb10u2) buster-security; urgency=high

  * Team upload.
  * The previous fix-file-permissions-on-compression.patch almost closed the
    window of the race condition, but not completely.  This patch, adapted from
    upstream, 0017-fix-file-permissions-on-compression.patch, replaces the
    previous attempt by erasing the umask before opening the destination file.
Closes: #982519
[dgit import unpatched libzstd 1.3.8+dfsg-3+deb10u2]

commit | commitdiff | tree

Étienne Mollier [Thu, 18 Feb 2021 11:59:48 +0000 (11:59 +0000)]

Import libzstd_1.3.8+dfsg-3+deb10u2.debian.tar.xz

[dgit import tarball libzstd 1.3.8+dfsg-3+deb10u2 libzstd_1.3.8+dfsg-3+deb10u2.debian.tar.xz]

commit | commitdiff | tree

Alexandre Mestiashvili [Mon, 31 Dec 2018 14:19:12 +0000 (14:19 +0000)]

Import libzstd_1.3.8+dfsg.orig.tar.xz

[dgit import orig libzstd_1.3.8+dfsg.orig.tar.xz]

Unnamed repository; edit this file 'description' to name the repository.

RSS Atom