CVE-2023-30571

29.05.2023, 20:15

Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories.

Race Condition

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	3.9 LOW	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
mitre	CNA	3.9 LOW	LOCAL	HIGH	LOW	CVSS:3.1/AC:H/AV:L/A:N/C:L/I:L/PR:L/S:C/UI:R
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Vendor	Product	Version
libarchive	libarchive	𝑥 ≤ 3.6.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

libarchive

bullseye	unimportant
bullseye (security)	unimportant
bookworm	unimportant
bookworm (security)	unimportant
sid	unimportant
trixie	unimportant

Ubuntu Releases

Ubuntu Product

Codename

libarchive

lunar	ignored
kinetic	ignored
jammy	ignored
focal	ignored
bionic	ignored
xenial	ignored
trusty	ignored

Common Weakness Enumeration

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References

https://github.com/libarchive/libarchive/issues/1876

https://groups.google.com/g/libarchive-announce

https://github.com/libarchive/libarchive/issues/1876

https://groups.google.com/g/libarchive-announce