-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Feb 2021 09:52:53 +0100 Source: libzstd Architecture: source Version: 1.4.8+dfsg-2 Distribution: unstable Urgency: high Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org> Changed-By: Étienne Mollier <etienne.mollier@mailoo.org> Closes: 982519 Changes: libzstd (1.4.8+dfsg-2) unstable; urgency=high . * Team upload. * When a file with restricted permissions is compressed, the resulting file inherits the umask of the user for the time of the compression. This was partially mitigated previously by running a change of permissions after a `chmod`, but left a small but exploitable window just after the `fopen`. This update adds 0018-fix-file-permissions-on-compression.patch to make sure the compressed file is not group nor world readable for the _entire_ duration of the compression. Closes: #982519 Checksums-Sha1: c03852712749e44d07c52073b0862c74fc536326 2266 libzstd_1.4.8+dfsg-2.dsc 7ddd022f263593fd1420a20b726988fc4177e566 14644 libzstd_1.4.8+dfsg-2.debian.tar.xz 3446d20b07dc6f52cfcb4a3abf9b4d7c84c1d104 7398 libzstd_1.4.8+dfsg-2_amd64.buildinfo Checksums-Sha256: 956bf60dc6f33a2a1deac7b0323d31e409fa8833f0fad423cede60a96ce73317 2266 libzstd_1.4.8+dfsg-2.dsc 67cb0e652e9b6f543640b82ff5a5e94460d8e107521af7518e06477aa4df0822 14644 libzstd_1.4.8+dfsg-2.debian.tar.xz 2bc235602530e434b8811d4732197c1e6878bdfee58e4872f39e1b3936b5595c 7398 libzstd_1.4.8+dfsg-2_amd64.buildinfo Files: c4b5c38975d04467ae5b9b564770a6bf 2266 libs optional libzstd_1.4.8+dfsg-2.dsc 908f01d234189534d8661d8a2c2f77c1 14644 libs optional libzstd_1.4.8+dfsg-2.debian.tar.xz afbf6a443b713102575837d428704b1e 7398 libs optional libzstd_1.4.8+dfsg-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmAuPdQACgkQeTz2fo8N Edq5kw//bMU9RNODi4Vn/LQwx38j13P+uirwvPM7+BKbq1v3Gr4FBdogbCZarChM aMnQ5BDMFGThZaW69GXrGEEZB/EuhIbwNWH3tBpbAEYLlz7vfg5JlmVNW/WxhifR /l05ZAUzix0wx6fFfM11tVXDX0Tjr/pa60aNnbw3Bu2tJrjuLR0foh8iSyLHSDsf jjRBrf7OtRV2X8d7r5xOUuHkmVXyGV3Bp5g8yhrSBGIW/9kjXRrcOUbUXTb7lca6 tmAgRnXAfAK1+GCPYMelJANRTjSVKEXcEArlIKKkXWLqdclRLcpHDEA5flXceoGx bNtooNwEPZCuYak7BDq4US8C0Wsn3sP3Fmolzuwo4+Vw7DCXcDRSoQuupHj2qRJC otlCJcTP1cr2rHGlSzzfHCK8cIuH8TgkOqsRu7zmKA1i4B5l1NRdYvI4T2Lcm1og /SITL57mlqnwqtpSrXOT48nuH7k9Gi1he6r6B98e/YSuW5YEeJ6+ULyDYGrtC0EL QL3avVLUQi0PMCwHupI6+zaGqPu3pdSO//A3YsE6cmNobeb3Ywax3/Za6SfDKdQh K+GYAK0tj4JTd4lvR4y2gZkZNHCYUKm8NSK68+ttQwB/3mxTdPan5AJ2RrH7Sz7M 0M+dSq/FxNQM60WnSaVFXcVDkOVNAbA/XGJg3isDgM+WBODAgIU= =urmZ -----END PGP SIGNATURE-----