Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 625394 (CVE-2017-11353) - <app-admin/yadm-2.4.0: race condition allows access to SSH and PGP keys
Summary: <app-admin/yadm-2.4.0: race condition allows access to SSH and PGP keys
Status: RESOLVED FIXED
Alias: CVE-2017-11353
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~2 [noglsa cve]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2017-07-17 07:58 UTC by Agostino Sarubbo
Modified: 2020-03-31 11:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-07-17 07:58:26 UTC
From ${URL} :

As reported by Daniel Shahaf in the Debian bugtracker at

https://bugs.debian.org/868300

yadm (Yet Another Dotfile Manager) 1.10.0 has a race condition
(related to the behavior of git commands in setting permissions for
new files and directories), which potentially allows access to SSH and
PGP keys.

Quoting his report:

> Dear Maintainer,
> 
> In its default configuration, yadm ensures that .ssh/ and .gnupg/ files are
> readable by the owner only.  That is implemented by running 'chmod' on the
> files after they have been created:
> 
>     https://sources.debian.net/src/yadm/1.10.0-1/yadm/#L671
> 
> That way has a race condition: whilst the git worktree is being checked out,
> the .ssh and .gnupg files have the permissions of the user's umask.  I added a
> debug printf just before the 'chmod' and it showed .ssh/ and .ssh/config having
> permissions «u=rwX,go=rX», i.e., world readable.

Upstream bugreport: https://github.com/TheLocehiliosan/yadm/issues/74

MITRE has assigned CVE-2017-11353 for this issue.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aleksandr Wagner (Kivak) 2017-09-20 16:37:19 UTC
Maintainer(s) please be aware that a new patch has been committed, https://github.com/TheLocehiliosan/yadm/commit/1eca41fa67e46221cb793f57e6276176e97c9611. This patch is included in the 1.11.1 release.

Gentoo Security Padawan
Kivak
Comment 2 Larry the Git Cow gentoo-dev 2020-03-28 00:33:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ded744c5b16b0966c4a39e9d5d3856fcab03ac4

commit 7ded744c5b16b0966c4a39e9d5d3856fcab03ac4
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-03-25 20:22:09 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-03-28 00:32:23 +0000

    app-admin/yadm: Security bump to 2.4.0
    
    Fixed in 1.11.1 but bumped to latest while
    there given it's now maintainer-needed.
    
    Bug: https://bugs.gentoo.org/625394
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Closes: https://github.com/gentoo/gentoo/pull/15114
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 app-admin/yadm/Manifest          |  1 +
 app-admin/yadm/yadm-2.4.0.ebuild | 57 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 58 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2020-03-31 08:39:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3ee7f2da2b73ae0c7cfd7abc61c4b819abc55b2

commit d3ee7f2da2b73ae0c7cfd7abc61c4b819abc55b2
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-03-29 00:26:04 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-03-31 08:39:00 +0000

    app-admin/yadm: Security cleanup
    
    Bug: https://bugs.gentoo.org/625394
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Closes: https://github.com/gentoo/gentoo/pull/15158
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-admin/yadm/Manifest           |  1 -
 app-admin/yadm/yadm-1.12.0.ebuild | 54 ---------------------------------------
 2 files changed, 55 deletions(-)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-31 11:27:55 UTC
Tree clean and noglsa => closing.