GHSA-w7jw-q4fg-qc4c

Описание

Summary

When building packages directly from source control, file permissions on the checked-in files are not maintained.

Details

When building packages directly from source control, file permissions on the checked-in files are not maintained. When nfpm packaged the files (without extra config for enforcing its own permissions) files could go out with bad permissions (chmod 666 or 777).

PoC

Create a default nfpm structure.

Within the test folder, create 3 files named chmod-XXX.sh. Each script has file permissions set corresponding with their file names (chmod-777.sh = chmod 777). Below each file and permissions can be seen.

Below is the snippet nfpm configuration file of the contents of the package. The test folder and files has no extra config for enforcing permissions.

The next step is to create a deb package.

When on a Ubuntu VM, install the foo package which was created

Looking at /etc/test/scripts and viewing the permissions. Permissions are passed exactly the same as the source.

Solution

To prevent world-writable files from making it into the packages, add the ability to override the default permissions of packaged files using a umask config option in the packaging spec file. This feature in nfpm would allow applying a global umask across any files being packaged, therefore, with the correct configuration, preventing world-writable files without needing to list permissions on each and every file in the package

Impact

Vulnerability is https://cwe.mitre.org/data/definitions/276.html https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Anyone using nfpm for creating packages and not checking/setting file permissions before packaging could result in bad permissions for files/folders.