[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] yadm: CVE-2017-11353: race condition allows access to SSH and PGP keys
From: Salvatore Bonaccorso <carnil () debian ! org>
Date: 2017-07-17 4:41:04
Message-ID: 20170717044104.j3gqgmkwgvekdedu () lorien ! valinor ! li
[Download RAW message or body]
Hi
As reported by Daniel Shahaf in the Debian bugtracker at
https://bugs.debian.org/868300
yadm (Yet Another Dotfile Manager) 1.10.0 has a race condition
(related to the behavior of git commands in setting permissions for
new files and directories), which potentially allows access to SSH and
PGP keys.
Quoting his report:
> Dear Maintainer,
>
> In its default configuration, yadm ensures that .ssh/ and .gnupg/ files are
> readable by the owner only. That is implemented by running 'chmod' on the
> files after they have been created:
>
> https://sources.debian.net/src/yadm/1.10.0-1/yadm/#L671
>
> That way has a race condition: whilst the git worktree is being checked out,
> the .ssh and .gnupg files have the permissions of the user's umask. I added a
> debug printf just before the 'chmod' and it showed .ssh/ and .ssh/config having
> permissions «u=rwX,go=rX », i.e., world readable.
Upstream bugreport: https://github.com/TheLocehiliosan/yadm/issues/74
MITRE has assigned CVE-2017-11353 for this issue.
Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic