Skip to content

Libarchive through 3.6.2 can cause directories to have...

Moderate severity Unreviewed Published May 29, 2023 to the GitHub Advisory Database • Updated Apr 11, 2024

Package

No package listedSuggest a package

Affected versions

Unknown

Patched versions

Unknown

Description

Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories.

References

Published by the National Vulnerability Database May 29, 2023
Published to the GitHub Advisory Database May 29, 2023
Last updated Apr 11, 2024

Severity

Moderate

EPSS score

0.042%
(5th percentile)

Weaknesses

CVE ID

CVE-2023-30571

GHSA ID

GHSA-cw7x-3mv7-w6xm

Source code

No known source code

Dependabot alerts are not supported on this advisory because it does not have a package from a supported ecosystem with an affected and fixed version.

Learn more about GitHub language support

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.