Package: librrd8 Version: 1.7.0-1+b1 Severity: important I installed collectd-core on my system and noticed that it created directories and rrd files with strange and insecure permissions such as 0777 and 0177. A bit of detective work later I managed to track the problem down to this issue in rrdtool:
https://github.com/oetiker/rrdtool-1.x/issues/794 To summarize, librrd uses umask to affect the permissions of created files. It first obtains the current umask so that it can restore it. However umask is global to the process and collectd performs rrd operations in multiple threads. It may happen that another thread obtains the modified umask as the original value and restores the incorrect value after doing its thing. Worse, the version currently in Debian contains this call: saved_umask = umask(S_IRUSR|S_IWUSR); This sets the umask to 0600, apparently in an attempt to protect files from users other than the owner. However the auther failed to realize that umask is a negation of the allowed bits, so this actually exposes created files to everyone! The problematic call appeared in June 2016: https://github.com/oetiker/rrdtool-1.x/commit/cd139a8 A year later the author realized his mistake and first corrected the umask bits: https://github.com/oetiker/rrdtool-1.x/commit/e1bddaf And then removed the umask calls entirely: https://github.com/oetiker/rrdtool-1.x/commit/f1edd12 However there has not been a new version since then and the latest released version (1.7.0, from May 2017) remains vulnerable. Please pick up the fix for Debian. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.24-core2-server (SMP w/8 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages librrd8 depends on: ii libc6 2.27-3 ii libcairo2 1.15.10-3 ii libdbi1 0.9.0-5 ii libglib2.0-0 2.56.1-2 ii libpango-1.0-0 1.42.1-1 ii libpangocairo-1.0-0 1.42.1-1 ii libpng16-16 1.6.34-1 ii libxml2 2.9.4+dfsg1-6.1 Versions of packages librrd8 recommends: ii fonts-dejavu-core 2.37-1 ii ttf-bitstream-vera 1.10-8 librrd8 suggests no packages. -- no debconf information
