From eb233cfadd2480ca30e5853644bb63c97956ed88 Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert@fedoraproject.org>
Date: Wed, 22 Apr 2020 00:02:18 +0200
Subject: [PATCH] CVE-2015-1200: Race condition in setting permissions on
 output file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Race condition in pxz 4.999.99 Beta 3 uses weak file permissions
for the output file when compressing a file before changing the
permission to match the original file, which allows local users
to bypass the intended access restrictions.

Patch by Moritz Mühlenhoff <jmm@inutil.org>

See also:
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1200
 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775306
 - https://bugzilla.redhat.com/show_bug.cgi?id=1182024
---
 pxz.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pxz.c b/pxz.c
index 4240b6e..1119ed7 100644
--- a/pxz.c
+++ b/pxz.c
@@ -312,6 +312,7 @@ int main( int argc, char **argv, char **envp ) {
 		}
 		
 		fo = stdout;
+		umask(077);
 		if ( std_in ) {
 			fi = stdin;
 		} else {