From ${URL} : As reported by Daniel Shahaf in the Debian bugtracker at https://bugs.debian.org/868300 yadm (Yet Another Dotfile Manager) 1.10.0 has a race condition (related to the behavior of git commands in setting permissions for new files and directories), which potentially allows access to SSH and PGP keys. Quoting his report: > Dear Maintainer, > > In its default configuration, yadm ensures that .ssh/ and .gnupg/ files are > readable by the owner only. That is implemented by running 'chmod' on the > files after they have been created: > > https://sources.debian.net/src/yadm/1.10.0-1/yadm/#L671 > > That way has a race condition: whilst the git worktree is being checked out, > the .ssh and .gnupg files have the permissions of the user's umask. I added a > debug printf just before the 'chmod' and it showed .ssh/ and .ssh/config having > permissions «u=rwX,go=rX», i.e., world readable. Upstream bugreport: https://github.com/TheLocehiliosan/yadm/issues/74 MITRE has assigned CVE-2017-11353 for this issue. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Maintainer(s) please be aware that a new patch has been committed, https://github.com/TheLocehiliosan/yadm/commit/1eca41fa67e46221cb793f57e6276176e97c9611. This patch is included in the 1.11.1 release. Gentoo Security Padawan Kivak
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ded744c5b16b0966c4a39e9d5d3856fcab03ac4 commit 7ded744c5b16b0966c4a39e9d5d3856fcab03ac4 Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-03-25 20:22:09 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2020-03-28 00:32:23 +0000 app-admin/yadm: Security bump to 2.4.0 Fixed in 1.11.1 but bumped to latest while there given it's now maintainer-needed. Bug: https://bugs.gentoo.org/625394 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Closes: https://github.com/gentoo/gentoo/pull/15114 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> app-admin/yadm/Manifest | 1 + app-admin/yadm/yadm-2.4.0.ebuild | 57 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3ee7f2da2b73ae0c7cfd7abc61c4b819abc55b2 commit d3ee7f2da2b73ae0c7cfd7abc61c4b819abc55b2 Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-03-29 00:26:04 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-03-31 08:39:00 +0000 app-admin/yadm: Security cleanup Bug: https://bugs.gentoo.org/625394 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Closes: https://github.com/gentoo/gentoo/pull/15158 Signed-off-by: Joonas Niilola <juippis@gentoo.org> app-admin/yadm/Manifest | 1 - app-admin/yadm/yadm-1.12.0.ebuild | 54 --------------------------------------- 2 files changed, 55 deletions(-)
Tree clean and noglsa => closing.