Date: Mon, 17 Jul 2017 06:41:04 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Subject: yadm: CVE-2017-11353: race condition allows access to SSH and PGP keys Hi As reported by Daniel Shahaf in the Debian bugtracker at https://bugs.debian.org/868300 yadm (Yet Another Dotfile Manager) 1.10.0 has a race condition (related to the behavior of git commands in setting permissions for new files and directories), which potentially allows access to SSH and PGP keys. Quoting his report: > Dear Maintainer, > > In its default configuration, yadm ensures that .ssh/ and .gnupg/ files are > readable by the owner only. That is implemented by running 'chmod' on the > files after they have been created: > > https://sources.debian.net/src/yadm/1.10.0-1/yadm/#L671 > > That way has a race condition: whilst the git worktree is being checked out, > the .ssh and .gnupg files have the permissions of the user's umask. I added a > debug printf just before the 'chmod' and it showed .ssh/ and .ssh/config having > permissions «u=rwX,go=rX», i.e., world readable. Upstream bugreport: https://github.com/TheLocehiliosan/yadm/issues/74 MITRE has assigned CVE-2017-11353 for this issue. Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ