yadm: CVE-2017-11353: race condition allows access to SSH and PGP keys

Debian Bug report logs - #868300
yadm: CVE-2017-11353: race condition allows access to SSH and PGP keys

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Shahaf <danielsh@apache.org>

To: submit@bugs.debian.org

Subject: yadm: race condition allows access to ssh and pgp keys

Date: Fri, 14 Jul 2017 10:33:09 +0000

Package: yadm
Version: 1.10.0-1
Severity: grave
Tags: security upstream
Justification: user security hole

Dear Maintainer,

In its default configuration, yadm ensures that .ssh/ and .gnupg/ files are
readable by the owner only.  That is implemented by running 'chmod' on the
files after they have been created:

    https://sources.debian.net/src/yadm/1.10.0-1/yadm/#L671

That way has a race condition: whilst the git worktree is being checked out,
the .ssh and .gnupg files have the permissions of the user's umask.  I added a
debug printf just before the 'chmod' and it showed .ssh/ and .ssh/config having
permissions «u=rwX,go=rX», i.e., world readable.

I tested in an uptodate sid chroot.

(I'm leaving the severity as 'grave' since I figure the vulnerability window
may be long in setups where the tree being checked out is large.)

Cheers,

Daniel

Message #12 received at 868300@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Daniel Shahaf <danielsh@apache.org>, 868300@bugs.debian.org

Subject: Re: Bug#868300: yadm: race condition allows access to ssh and pgp keys

Date: Mon, 17 Jul 2017 06:30:56 +0200

Control: retitle -1 yadm: CVE-2017-11353: race condition allows access to ssh and pgp

On Fri, Jul 14, 2017 at 10:33:09AM +0000, Daniel Shahaf wrote:
> Package: yadm
> Version: 1.10.0-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> 
> Dear Maintainer,
> 
> In its default configuration, yadm ensures that .ssh/ and .gnupg/ files are
> readable by the owner only.  That is implemented by running 'chmod' on the
> files after they have been created:
> 
>     https://sources.debian.net/src/yadm/1.10.0-1/yadm/#L671
> 
> That way has a race condition: whilst the git worktree is being checked out,
> the .ssh and .gnupg files have the permissions of the user's umask.  I added a
> debug printf just before the 'chmod' and it showed .ssh/ and .ssh/config having
> permissions ?u=rwX,go=rX?, i.e., world readable.
> 
> I tested in an uptodate sid chroot.
> 
> (I'm leaving the severity as 'grave' since I figure the vulnerability window
> may be long in setups where the tree being checked out is large.)

CVE-2017-11353 has been assigned by MITRE for this issue (can you pass
please this information to upstream and possibly have it included in
the upstream changelog and commit once fixed).

Regards,
Salvatore

Message #23 received at 868300@bugs.debian.org (full text, mbox, reply):

From: ChangZhuo Chen (陳昌倬) <czchen@debian.org>

To: 868300@bugs.debian.org

Subject: Re: yadm: race condition allows access to ssh and pgp keys

Date: Mon, 17 Jul 2017 12:41:43 +0800

[Message part 1 (text/plain, inline)]

Control: forwarded -1 https://github.com/TheLocehiliosan/yadm/issues/75


-- 
ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
http://czchen.info/
Key fingerprint = BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 868300@bugs.debian.org (full text, mbox, reply):

From: ChangZhuo Chen (陳昌倬) <czchen@debian.org>

To: 868300@bugs.debian.org

Subject: Re: yadm: race condition allows access to ssh and pgp keys

Date: Mon, 17 Jul 2017 12:47:06 +0800

[Message part 1 (text/plain, inline)]

Control: forwarded -1 https://github.com/TheLocehiliosan/yadm/issues/74


Set it back since it is already reported to upstream.


-- 
ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
http://czchen.info/
Key fingerprint = BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B

[signature.asc (application/pgp-signature, inline)]

Message #39 received at 868300-close@bugs.debian.org (full text, mbox, reply):

From: ChangZhuo Chen (陳昌倬) <czchen@debian.org>

To: 868300-close@bugs.debian.org

Subject: Bug#868300: fixed in yadm 1.11.1-1

Date: Mon, 28 Aug 2017 11:40:32 +0000

Source: yadm
Source-Version: 1.11.1-1

We believe that the bug you reported is fixed in the latest version of
yadm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868300@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
ChangZhuo Chen (陳昌倬) <czchen@debian.org> (supplier of updated yadm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 28 Aug 2017 18:33:06 +0800
Source: yadm
Binary: yadm
Architecture: source
Version: 1.11.1-1
Distribution: unstable
Urgency: high
Maintainer: Yao-Po Wang <blue119@gmail.com>
Changed-By: ChangZhuo Chen (陳昌倬) <czchen@debian.org>
Description:
 yadm       - Yet Another Dotfiles Manager
Closes: 868300
Changes:
 yadm (1.11.1-1) unstable; urgency=high
 .
   * New upstream release.
     * Fix CVE-2017-11353 (Closes: #868300).
Checksums-Sha1:
 b3992505d35c17ebe52320bef6cadf5594f34cc1 1865 yadm_1.11.1-1.dsc
 995b6b450144e50080a0ab9395670a8b72e567d8 44990 yadm_1.11.1.orig.tar.gz
 7e055f8bc5300ef31d4462ce7cf98793e377ef54 2404 yadm_1.11.1-1.debian.tar.xz
 f38dd8a49aba9bf0030745b03a0a968e18d8d6b1 5583 yadm_1.11.1-1_source.buildinfo
Checksums-Sha256:
 a5af1b436d7f5d59d4ffd272a3e6b83878d9a8e10c63f372ab84ba6ba5843c1f 1865 yadm_1.11.1-1.dsc
 7074c08a317c627106cef3663f2ab05b6397fdf3e2f9186730368b44a26d8fe4 44990 yadm_1.11.1.orig.tar.gz
 9993ee2af99664bcc5a006fb06922cde5ad3be2ae5cdfe747b30205f064f293d 2404 yadm_1.11.1-1.debian.tar.xz
 ee4f2ca0196a45c0de1492451f86bd2203a9ba23900a64bc705fced2061ed47f 5583 yadm_1.11.1-1_source.buildinfo
Files:
 596bcf966182cbe8719f5a38a6a2f9ec 1865 utils optional yadm_1.11.1-1.dsc
 9d67e801d2169a7b44b715d807782533 44990 utils optional yadm_1.11.1.orig.tar.gz
 2b494e3d9d4fb05344e90714e2071733 2404 utils optional yadm_1.11.1-1.debian.tar.xz
 c0c26abf8bd08c3a965e184c41af519d 5583 utils optional yadm_1.11.1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEE5H9tOJ8ReWWaF1PGrc2MXdaTaQFAlmj8iEACgkQGrc2MXda
TaSQpRAA0nJvKaBTuCIvqaRuOg6dU8s4vczM/Sao+bXoLbK5TP6Jsz303WDxp+jQ
gedVLPQAtBd38IK5x991Q8Epgkp35ZyFeSMWKKEoNh4yS/hmrc7b1/gGb7ZWqA8l
O0xFxHHQz1CRHpmgSXf04m4cwGqMhEyLVlik0J0TfLg35bZnIar6z2nZ6NKFAAbH
oot5oM45fKA6HKwI8Drcreq7q62EgnK6OqOrPdv1R0oruWVwjl4wwsKo9CIlAIt7
0tjZMyMnpErxFDeu1R0QqjMEfFd1qOJgGfM0SFoGwvc+4Btm8yjcDWx0sYsYIFou
EyvifQtFgKy7dwJs1yuOC2QRHEvQGNSxn6IIWPAzu16f1PEX4rOKR3YsgLaVv7/X
HoBihFNPp8GzxrIFMvDd5Hs1RrysUuS/gE2KCax9j9rU4+qnbaWRKFpSlk16CafG
+mE8QoKFjuBRwQNICskrGeK044ejfALfnVuYqNM4zrpqK4iwretWVS7OIxNcRAEx
xWvFAzXNCVAgh4r7kVNfTsG8IDpGI1nKkXKiqnkS04Kj8uDb4rXfPZdtLxhScCZ/
qZsvuTcF8IWbNWGCfzofKrXfv67jqzKJWH5n3oBl1wU8w6HTJWvTBJ7DQff38zLj
EVIAK3H1ABM/v3jfFEEL2JCIxgk19f05NOrocJ+I487Q6QAs7HE=
=nXky
-----END PGP SIGNATURE-----

Message #42 received at 868300-done@bugs.debian.org (full text, mbox, reply):

From: ChangZhuo Chen (陳昌倬) <czchen@debian.org>

To: 868300-done@bugs.debian.org

Subject: [yadm] Fix Depends

Date: Thu, 9 Aug 2018 16:03:08 +0800

[Message part 1 (text/plain, inline)]

control: fixed -1 1.12.0-2


-- 
ChangZhuo Chen (陳昌倬) czchen@{czchen,debconf,debian}.org
http://czchen.info/
Key fingerprint = BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.