Your message dated Mon, 28 Aug 2017 11:40:32 +0000 with message-id <[email protected]> and subject line Bug#868300: fixed in yadm 1.11.1-1 has caused the Debian Bug report #868300, regarding yadm: CVE-2017-11353: race condition allows access to SSH and PGP keys to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 868300: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868300 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: yadm Version: 1.10.0-1 Severity: grave Tags: security upstream Justification: user security hole Dear Maintainer, In its default configuration, yadm ensures that .ssh/ and .gnupg/ files are readable by the owner only. That is implemented by running 'chmod' on the files after they have been created: https://sources.debian.net/src/yadm/1.10.0-1/yadm/#L671 That way has a race condition: whilst the git worktree is being checked out, the .ssh and .gnupg files have the permissions of the user's umask. I added a debug printf just before the 'chmod' and it showed .ssh/ and .ssh/config having permissions «u=rwX,go=rX», i.e., world readable. I tested in an uptodate sid chroot. (I'm leaving the severity as 'grave' since I figure the vulnerability window may be long in setups where the tree being checked out is large.) Cheers, Daniel
--- End Message ---
--- Begin Message ---Source: yadm Source-Version: 1.11.1-1 We believe that the bug you reported is fixed in the latest version of yadm, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. ChangZhuo Chen (陳昌倬) <[email protected]> (supplier of updated yadm package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 28 Aug 2017 18:33:06 +0800 Source: yadm Binary: yadm Architecture: source Version: 1.11.1-1 Distribution: unstable Urgency: high Maintainer: Yao-Po Wang <[email protected]> Changed-By: ChangZhuo Chen (陳昌倬) <[email protected]> Description: yadm - Yet Another Dotfiles Manager Closes: 868300 Changes: yadm (1.11.1-1) unstable; urgency=high . * New upstream release. * Fix CVE-2017-11353 (Closes: #868300). Checksums-Sha1: b3992505d35c17ebe52320bef6cadf5594f34cc1 1865 yadm_1.11.1-1.dsc 995b6b450144e50080a0ab9395670a8b72e567d8 44990 yadm_1.11.1.orig.tar.gz 7e055f8bc5300ef31d4462ce7cf98793e377ef54 2404 yadm_1.11.1-1.debian.tar.xz f38dd8a49aba9bf0030745b03a0a968e18d8d6b1 5583 yadm_1.11.1-1_source.buildinfo Checksums-Sha256: a5af1b436d7f5d59d4ffd272a3e6b83878d9a8e10c63f372ab84ba6ba5843c1f 1865 yadm_1.11.1-1.dsc 7074c08a317c627106cef3663f2ab05b6397fdf3e2f9186730368b44a26d8fe4 44990 yadm_1.11.1.orig.tar.gz 9993ee2af99664bcc5a006fb06922cde5ad3be2ae5cdfe747b30205f064f293d 2404 yadm_1.11.1-1.debian.tar.xz ee4f2ca0196a45c0de1492451f86bd2203a9ba23900a64bc705fced2061ed47f 5583 yadm_1.11.1-1_source.buildinfo Files: 596bcf966182cbe8719f5a38a6a2f9ec 1865 utils optional yadm_1.11.1-1.dsc 9d67e801d2169a7b44b715d807782533 44990 utils optional yadm_1.11.1.orig.tar.gz 2b494e3d9d4fb05344e90714e2071733 2404 utils optional yadm_1.11.1-1.debian.tar.xz c0c26abf8bd08c3a965e184c41af519d 5583 utils optional yadm_1.11.1-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEE5H9tOJ8ReWWaF1PGrc2MXdaTaQFAlmj8iEACgkQGrc2MXda TaSQpRAA0nJvKaBTuCIvqaRuOg6dU8s4vczM/Sao+bXoLbK5TP6Jsz303WDxp+jQ gedVLPQAtBd38IK5x991Q8Epgkp35ZyFeSMWKKEoNh1yS/hmrc7b1/gGb7ZWqA8l O0xFxHHQz1CRHpmgSXf04m4cwGqMhEyLVlik0J0TfLg35bZnIar6z2nZ6NKFAAbH oot5oM45fKA6HKwI8Drcreq7q62EgnK6OqOrPdv1R0oruWVwjl4wwsKo9CIlAIt7 0tjZMyMnpErxFDeu1R0QqjMEfFd1qOJgGfM0SFoGwvc+4Btm8yjcDWx0sYsYIFou EyvifQtFgKy7dwJs1yuOC2QRHEvQGNSxn6IIWPAzu16f1PEX4rOKR3YsgLaVv7/X HoBihFNPp8GzxrIFMvDd5Hs1RrysUuS/gE2KCax9j9rU4+qnbaWRKFpSlk16CafG +mE8QoKFjuBRwQNICskrGeK044ejfALfnVuYqNM4zrpqK4iwretWVS7OIxNcRAEx xWvFAzXNCVAgh2r7kVNfTsG8IDpGI1nKkXKiqnkS04Kj8uDb4rXfPZdtLxhScCZ/ qZsvuTcF8IWbNWGCfzofKrXfv67jqzKJWH5n3oBl1wU8w6HTJWvTBJ7DQff38zLj EVIAK3H1ABM/v3jfFEEL2JCIxgk19f05NOrocJ+I487Q6QAs7HE= =nXky -----END PGP SIGNATURE-----
--- End Message ---
