Package: diaspora-installer Version: 0.6.6.0+debian1 Severity: grave Tags: security Justification: user security hole User: debian...@lists.debian.org Usertags: piuparts
Hi, during a test with piuparts I noticed your package installs world-writable files, including a bunch of .rb scripts, allowing unprivileged local users to "customize" your diaspora experience. Since this is a downloader package, it needs to sanitize the stuff it downloads and installs from the net. >From the attached log (scroll to the bottom...): ERROR: BAD PERMISSIONS -rw-rw-rw- 1 diaspora nogroup 1935 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/configurate-0.3.1/lib/configurate/lookup_chain.rb -rw-rw-rw- 1 diaspora nogroup 154 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/.gitignore -rw-rw-rw- 1 diaspora nogroup 242 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/.travis.yml -rw-rw-rw- 1 diaspora nogroup 98 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/Gemfile -rw-rw-rw- 1 diaspora nogroup 1069 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/LICENSE.txt -rw-rw-rw- 1 diaspora nogroup 3354 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/README.md -rw-rw-rw- 1 diaspora nogroup 233 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/Rakefile -rw-rw-rw- 1 diaspora nogroup 918 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/lib/request_store.rb -rw-rw-rw- 1 diaspora nogroup 233 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/lib/request_store/middleware.rb -rw-rw-rw- 1 diaspora nogroup 785 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/lib/request_store/railtie.rb -rw-rw-rw- 1 diaspora nogroup 44 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/lib/request_store/version.rb -rw-rw-rw- 1 diaspora nogroup 943 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/request_store.gemspec -rw-rw-rw- 1 diaspora nogroup 981 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/test/middleware_test.rb -rw-rw-rw- 1 diaspora nogroup 1607 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/test/request_store_test.rb -rw-rw-rw- 1 diaspora nogroup 267 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/test/test_helper.rb -rw-rw-rw- 1 diaspora nogroup 3255 Jun 29 20:24 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/twitter-text-1.14.5/README.md cheers, Andreas
diaspora-installer_0.6.6.0+debian1.log.gz
Description: application/gzip
