Bug#758971: byte-compiled files have wrong permissions

Sun, 14 Sep 2014 14:36:58 -0700 

[If possible, please preserve the -forwarded address in any replies.]

I suspect this should be fixed, if it hasn't been already.

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758971

Thanks

Rand Peters <rwpet...@yandex.com> writes:

> Package: guile-2.0
> Version: 2.0.11+1-1
> Tags: security
>
> Guile automatically byte-compiles programs when they are run, and
> places the byte-compiled file in a subdirectory of
> $HOME/.cache/guile/.
>
> However, the permissions of the byte-compiled file are derived from
> umask rather than the permissions of the source file. This means that
> sensitive data (e.g. a hard-coded password) contained in a source file
> with restrictive permissions will be copied into a byte-compiled file
> that may be world-readable.
>
> Guile should ensure that the permissions of byte-compiled files match
> those of the source.
>
> Example:
>
> $ touch myscript
>
> $ chmod 700 myscript             # source file readable only to owner
>
> $ cat >> myscript <<'EOF'
> #!/usr/bin/guile \
> -e main -s
> !#
>
> (define secret-password "DEADBEEFDEADBEEF")
>
> (define (main args)
>   (display "this program contains an embedded secret")
>   (newline))
> EOF
>
> $ ./myscript
> ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
> ;;;       or pass the --no-auto-compile argument to disable.
> ;;; compiling /home/rwp/./myscript
> ;;; compiled /home/rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> this program contains an embedded secret
>
> $ ls -l ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> -rw-r--r-- 1 rwp rwp 456 Jul 1 12:00 /home/[...]/myscript.go
>
> # ^^ Note that the byte-compiled file is world-readable
>
> $ strings ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> [...]
> DEADBEEFDEADBEEF
> secret-password
> [...]

-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to