Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 17 Jul 2017 06:41:04 +0200
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Subject: yadm: CVE-2017-11353: race condition allows access to SSH and PGP


As reported by Daniel Shahaf in the Debian bugtracker at

yadm (Yet Another Dotfile Manager) 1.10.0 has a race condition
(related to the behavior of git commands in setting permissions for
new files and directories), which potentially allows access to SSH and
PGP keys.

Quoting his report:

> Dear Maintainer,
> In its default configuration, yadm ensures that .ssh/ and .gnupg/ files are
> readable by the owner only.  That is implemented by running 'chmod' on the
> files after they have been created:
> That way has a race condition: whilst the git worktree is being checked out,
> the .ssh and .gnupg files have the permissions of the user's umask.  I added a
> debug printf just before the 'chmod' and it showed .ssh/ and .ssh/config having
> permissions «u=rwX,go=rX», i.e., world readable.

Upstream bugreport:

MITRE has assigned CVE-2017-11353 for this issue.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ