Race Condition Affecting libarchive package, versions [,3.7.1)


Severity

Recommended
0.0
low
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.19% (10th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CONAN-LIBARCHIVE-10076389
  • published8 May 2025
  • disclosed29 May 2023
  • creditxypiie

Introduced: 29 May 2023

CVE-2023-30571  (opens in a new tab)
CWE-362  (opens in a new tab)

How to fix?

Upgrade libarchive to version 3.7.1 or higher.

Overview

Affected versions of this package are vulnerable to Race Condition causing directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories.

CVSS Base Scores

version 3.1