The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod().
Time of Introduction
Technical Impact: Read files or
directories; Modify files or
directories; Bypass protection
Use umask() with the correct argument.
If you suspect misuse of umask(), you can use grep to spot call
instances of umask().
The umask() man page begins with the false statement: "umask sets the
umask to mask & 0777" Although this behavior would better align with
the usage of chmod(), where the user provided argument specifies the bits to
enable on the specified file, the behavior of umask() is in fact opposite:
umask() sets the umask to ~mask & 0777. The umask() man page goes on
to describe the correct usage of umask(): "The umask is used by open() to
set initial file permissions on a newly-created file. Specifically,
permissions in the umask are turned off from the mode argument to open(2)
(so, for example, the common umask default value of 022 results in new files
being created with permissions 0666 & ~022 = 0644 = rw-r--r-- in the
usual case where the mode is specified as 0666)."