Control: retitle -1 yadm: CVE-2017-11353: race condition allows access to ssh and pgp
On Fri, Jul 14, 2017 at 10:33:09AM +0000, Daniel Shahaf wrote: > Package: yadm > Version: 1.10.0-1 > Severity: grave > Tags: security upstream > Justification: user security hole > > Dear Maintainer, > > In its default configuration, yadm ensures that .ssh/ and .gnupg/ files are > readable by the owner only. That is implemented by running 'chmod' on the > files after they have been created: > > https://sources.debian.net/src/yadm/1.10.0-1/yadm/#L671 > > That way has a race condition: whilst the git worktree is being checked out, > the .ssh and .gnupg files have the permissions of the user's umask. I added a > debug printf just before the 'chmod' and it showed .ssh/ and .ssh/config > having > permissions ?u=rwX,go=rX?, i.e., world readable. > > I tested in an uptodate sid chroot. > > (I'm leaving the severity as 'grave' since I figure the vulnerability window > may be long in setups where the tree being checked out is large.) CVE-2017-11353 has been assigned by MITRE for this issue (can you pass please this information to upstream and possibly have it included in the upstream changelog and commit once fixed). Regards, Salvatore
