oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

yadm: CVE-2017-11353: race condition allows access to SSH and PGP keys

From: Salvatore Bonaccorso <carnil () debian org>
Date: Mon, 17 Jul 2017 06:41:04 +0200
Hi

As reported by Daniel Shahaf in the Debian bugtracker at

https://bugs.debian.org/868300

yadm (Yet Another Dotfile Manager) 1.10.0 has a race condition
(related to the behavior of git commands in setting permissions for
new files and directories), which potentially allows access to SSH and
PGP keys.

Quoting his report:


Dear Maintainer,

In its default configuration, yadm ensures that .ssh/ and .gnupg/ files are
readable by the owner only.  That is implemented by running 'chmod' on the
files after they have been created:

    https://sources.debian.net/src/yadm/1.10.0-1/yadm/#L671

That way has a race condition: whilst the git worktree is being checked out,
the .ssh and .gnupg files have the permissions of the user's umask.  I added a
debug printf just before the 'chmod' and it showed .ssh/ and .ssh/config having
permissions ??u=rwX,go=rX??, i.e., world readable.


Upstream bugreport: https://github.com/TheLocehiliosan/yadm/issues/74

MITRE has assigned CVE-2017-11353 for this issue.

Regards,
Salvatore
Previous By Date Next
Previous By Thread Next

Current thread: