Bug 6952 - [Anolis OS 23] Bugfix for CVE-2023-30571
Summary: [Anolis OS 23] Bugfix for CVE-2023-30571
Status: RESOLVED FIXED
Alias: None
Product: Anolis OS 23
Classification: Anolis OS
Component: BaseOS Packages (show other bugs) BaseOS Packages
Version: unspecified
Hardware: All Linux
: P3-Medium S3-normal
Target Milestone: ---
Assignee: happy_orange
QA Contact: bolong_tbl
URL:
Whiteboard:
Keywords: CVE
Depends on:
Blocks:
 
Reported: 2023-10-19 15:32 UTC by 小龙
Modified: 2023-10-23 16:56 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description 小龙 admin 2023-10-19 15:32:49 UTC 
Description:
Libarchive到3.6.2可以使目录具有全局可写权限。archive_write_disk_posix.c中的umask()调用会在很短的时间内更改整个进程的umask;与另一个线程的竞争条件可能导致永久umask0设置。这种竞争条件可能会导致使用权限0777(没有粘性位)隐式创建目录,这意味着任何低权限的本地用户都可以删除和重命名这些目录中的文件。

Broken commit info:

Bugfix commit info: