Vulnerabilites related to Facebook - Zstandard
CVE-2019-11922 (GCVE-0-2019-11922)
Vulnerability from cvelistv5
Published
2019-07-25 20:32
Modified
2024-08-04 23:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Out-of-bounds Write (CWE-ID 787)
Summary
A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:10:29.677Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openSUSE-SU-2019:1845",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00008.html"
},
{
"name": "openSUSE-SU-2019:1952",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00062.html"
},
{
"name": "USN-4108-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4108-1/"
},
{
"name": "openSUSE-SU-2019:2008",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00078.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.facebook.com/security/advisories/cve-2019-11922"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Zstandard",
"vendor": "Facebook",
"versions": [
{
"status": "affected",
"version": "1.3.8"
},
{
"lessThan": "1.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"dateAssigned": "2019-07-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Out-of-bounds Write (CWE-ID 787)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-20T21:14:56",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "facebook"
},
"references": [
{
"name": "openSUSE-SU-2019:1845",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00008.html"
},
{
"name": "openSUSE-SU-2019:1952",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00062.html"
},
{
"name": "USN-4108-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4108-1/"
},
{
"name": "openSUSE-SU-2019:2008",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00078.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.facebook.com/security/advisories/cve-2019-11922"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@fb.com",
"DATE_ASSIGNED": "2019-07-25",
"ID": "CVE-2019-11922",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Zstandard",
"version": {
"version_data": [
{
"version_affected": "!=\u003e",
"version_value": "1.3.8"
},
{
"version_affected": "\u003c",
"version_value": "1.3.8"
}
]
}
}
]
},
"vendor_name": "Facebook"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Out-of-bounds Write (CWE-ID 787)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "openSUSE-SU-2019:1845",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00008.html"
},
{
"name": "openSUSE-SU-2019:1952",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00062.html"
},
{
"name": "USN-4108-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4108-1/"
},
{
"name": "openSUSE-SU-2019:2008",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00078.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "https://www.facebook.com/security/advisories/cve-2019-11922",
"refsource": "CONFIRM",
"url": "https://www.facebook.com/security/advisories/cve-2019-11922"
},
{
"name": "https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0",
"refsource": "MISC",
"url": "https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "facebook",
"cveId": "CVE-2019-11922",
"datePublished": "2019-07-25T20:32:44",
"dateReserved": "2019-05-13T00:00:00",
"dateUpdated": "2024-08-04T23:10:29.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24031 (GCVE-0-2021-24031)
Vulnerability from cvelistv5
Published
2021-03-04 20:15
Modified
2024-08-03 19:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-277 - Insecure Inherited Permissions ()
Summary
In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:17.205Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/facebook/zstd/issues/1630"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.facebook.com/security/advisories/cve-2021-24031"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Zstandard",
"vendor": "Facebook",
"versions": [
{
"lessThan": "unspecified",
"status": "unaffected",
"version": "1.4.1",
"versionType": "custom"
},
{
"lessThan": "1.4.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"dateAssigned": "2021-03-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-277",
"description": "Insecure Inherited Permissions (CWE-277)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-04T20:15:21",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "facebook"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/facebook/zstd/issues/1630"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.facebook.com/security/advisories/cve-2021-24031"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@fb.com",
"DATE_ASSIGNED": "2021-03-01",
"ID": "CVE-2021-24031",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Zstandard",
"version": {
"version_data": [
{
"version_affected": "!\u003e=",
"version_value": "1.4.1"
},
{
"version_affected": "\u003c",
"version_value": "1.4.1"
}
]
}
}
]
},
"vendor_name": "Facebook"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Inherited Permissions (CWE-277)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/facebook/zstd/issues/1630",
"refsource": "MISC",
"url": "https://github.com/facebook/zstd/issues/1630"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404",
"refsource": "MISC",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404"
},
{
"name": "https://www.facebook.com/security/advisories/cve-2021-24031",
"refsource": "MISC",
"url": "https://www.facebook.com/security/advisories/cve-2021-24031"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "facebook",
"cveId": "CVE-2021-24031",
"datePublished": "2021-03-04T20:15:21",
"dateReserved": "2021-01-13T00:00:00",
"dateUpdated": "2024-08-03T19:21:17.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24032 (GCVE-0-2021-24032)
Vulnerability from cvelistv5
Published
2021-03-04 20:15
Modified
2024-08-03 19:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-277 - Insecure Inherited Permissions ()
Summary
Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:17.115Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/facebook/zstd/issues/2491"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.facebook.com/security/advisories/cve-2021-24032"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Zstandard",
"vendor": "Facebook",
"versions": [
{
"lessThan": "unspecified",
"status": "unaffected",
"version": "1.4.9",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.4.1",
"versionType": "custom"
},
{
"lessThan": "1.4.1",
"status": "unaffected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"dateAssigned": "2021-03-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-277",
"description": "Insecure Inherited Permissions (CWE-277)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-04T20:15:21",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "facebook"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/facebook/zstd/issues/2491"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.facebook.com/security/advisories/cve-2021-24032"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@fb.com",
"DATE_ASSIGNED": "2021-03-01",
"ID": "CVE-2021-24032",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Zstandard",
"version": {
"version_data": [
{
"version_affected": "!\u003e=",
"version_value": "1.4.9"
},
{
"version_affected": "\u003e=",
"version_value": "1.4.1"
},
{
"version_affected": "!\u003c",
"version_value": "1.4.1"
}
]
}
}
]
},
"vendor_name": "Facebook"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Inherited Permissions (CWE-277)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/facebook/zstd/issues/2491",
"refsource": "MISC",
"url": "https://github.com/facebook/zstd/issues/2491"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519",
"refsource": "MISC",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519"
},
{
"name": "https://www.facebook.com/security/advisories/cve-2021-24032",
"refsource": "MISC",
"url": "https://www.facebook.com/security/advisories/cve-2021-24032"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "facebook",
"cveId": "CVE-2021-24032",
"datePublished": "2021-03-04T20:15:21",
"dateReserved": "2021-01-13T00:00:00",
"dateUpdated": "2024-08-03T19:21:17.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}