Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20170717044104.j3gqgmkwgvekdedu@lorien.valinor.li>
Date: Mon, 17 Jul 2017 06:41:04 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: yadm: CVE-2017-11353: race condition allows access to SSH and PGP
 keys

Hi

As reported by Daniel Shahaf in the Debian bugtracker at

https://bugs.debian.org/868300

yadm (Yet Another Dotfile Manager) 1.10.0 has a race condition
(related to the behavior of git commands in setting permissions for
new files and directories), which potentially allows access to SSH and
PGP keys.

Quoting his report:

> Dear Maintainer,
> 
> In its default configuration, yadm ensures that .ssh/ and .gnupg/ files are
> readable by the owner only.  That is implemented by running 'chmod' on the
> files after they have been created:
> 
>     https://sources.debian.net/src/yadm/1.10.0-1/yadm/#L671
> 
> That way has a race condition: whilst the git worktree is being checked out,
> the .ssh and .gnupg files have the permissions of the user's umask.  I added a
> debug printf just before the 'chmod' and it showed .ssh/ and .ssh/config having
> permissions «u=rwX,go=rX», i.e., world readable.

Upstream bugreport: https://github.com/TheLocehiliosan/yadm/issues/74

MITRE has assigned CVE-2017-11353 for this issue.

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.