GHSA-W7JW-Q4FG-QC4C
Vulnerability from github – Published: 2023-05-24 17:30 – Updated: 2024-05-20 21:52Summary
When building packages directly from source control, file permissions on the checked-in files are not maintained.
Details
When building packages directly from source control, file permissions on the checked-in files are not maintained. When nfpm packaged the files (without extra config for enforcing its own permissions) files could go out with bad permissions (chmod 666 or 777).
PoC
Create a default nfpm structure.
Within the test folder, create 3 files named chmod-XXX.sh. Each script has file
permissions set corresponding with their file names (chmod-777.sh = chmod 777). Below each
file and permissions can be seen.
$ ls -lart test
total 24
-rwxrwxrwx 1 user group 11 May 19 13:15 chmod-777.sh
-rw-rw-rw- 1 user group 11 May 19 13:16 chmod-666.sh
drwxr-xr-x 5 user group 160 May 19 13:19 .
-rw-rw-r-- 1 user group 11 May 19 13:19 chmod-664.sh
drwxr-xr-x 10 user group 320 May 19 13:29 ..
Below is the snippet nfpm configuration file of the contents of the package. The test folder and files has no extra config for enforcing permissions.
contents:
- src: foo-binary
dst: /usr/bin/bar
- src: bar-config.conf
dst: /etc/foo-binary/bar-config.conf
type: config
- src: test
dst: /etc/test/scripts
The next step is to create a deb package.
$ nfpm package -p deb # Create dep package
using deb packager...
created package: foo_1.0.0_arm64.deb
When on a Ubuntu VM, install the foo package which was created
$ sudo dpkg -i foo_1.0.0_arm64.deb # Installing deb package within Ubuntu
Selecting previously unselected package foo.
(Reading database ... 67540 files and directories currently installed.)
Preparing to unpack foo_1.0.0_arm64.deb ...
Unpacking foo (1.0.0) ...
Setting up foo (1.0.0) ...
Looking at /etc/test/scripts and viewing the permissions. Permissions are passed exactly the same as the source.
$ ls -lart /etc/test/scripts
total 20
-rwxrwxrwx 1 root root 11 May 22 12:15 chmod-777.sh
-rw-rw-rw- 1 root root 11 May 22 12:16 chmod-666.sh
-rw-rw-r-- 1 root root 11 May 22 12:19 chmod-664.sh
drwxr-xr-x 3 root root 4096 May 22 13:00 ..
drwxr-xr-x 2 root root 4096 May 22 13:00 .
Solution
To prevent world-writable files from making it into the packages, add the ability to override the default permissions of packaged files using a umask config option in the packaging spec file. This feature in nfpm would allow applying a global umask across any files being packaged, therefore, with the correct configuration, preventing world-writable files without needing to list permissions on each and every file in the package
Impact
Vulnerability is https://cwe.mitre.org/data/definitions/276.html https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Anyone using nfpm for creating packages and not checking/setting file permissions before packaging could result in bad permissions for files/folders.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/goreleaser/nfpm/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.29.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/goreleaser/nfpm"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.0"
},
{
"last_affected": "1.10.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-32698"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-24T17:30:16Z",
"nvd_published_at": "2023-05-30T04:15:10Z",
"severity": "HIGH"
},
"details": "### Summary\nWhen building packages directly from source control, file permissions on the checked-in files are not maintained. \n\n### Details\nWhen building packages directly from source control, file permissions on the checked-in files are not maintained. When nfpm packaged the files (without extra config for enforcing its own permissions) files could go out with bad permissions (chmod 666 or 777).\n\n### PoC\nCreate a default nfpm structure. \n\nWithin the test folder, create 3 files named `chmod-XXX.sh`. Each script has file \npermissions set corresponding with their file names (`chmod-777.sh` = `chmod 777`). Below each \nfile and permissions can be seen.\n\n```console\n$ ls -lart test \ntotal 24\n-rwxrwxrwx 1 user group 11 May 19 13:15 chmod-777.sh\n-rw-rw-rw- 1 user group 11 May 19 13:16 chmod-666.sh\ndrwxr-xr-x 5 user group 160 May 19 13:19 .\n-rw-rw-r-- 1 user group 11 May 19 13:19 chmod-664.sh\ndrwxr-xr-x 10 user group 320 May 19 13:29 ..\n```\n\nBelow is the snippet nfpm configuration file of the contents of the package. The test folder \nand files has no extra config for enforcing permissions. \n\n```yaml\ncontents:\n- src: foo-binary\n dst: /usr/bin/bar\n- src: bar-config.conf\n dst: /etc/foo-binary/bar-config.conf\n type: config\n- src: test\n dst: /etc/test/scripts\n```\n\nThe next step is to create a deb package.\n\n```console\n$ nfpm package -p deb # Create dep package\nusing deb packager...\ncreated package: foo_1.0.0_arm64.deb\n```\n\nWhen on a Ubuntu VM, install the foo package which was created\n\n```console\n$ sudo dpkg -i foo_1.0.0_arm64.deb # Installing deb package within Ubuntu\nSelecting previously unselected package foo.\n(Reading database ... 67540 files and directories currently installed.)\nPreparing to unpack foo_1.0.0_arm64.deb ...\nUnpacking foo (1.0.0) ...\nSetting up foo (1.0.0) ...\n```\n\nLooking at `/etc/test/scripts` and viewing the permissions. Permissions are passed exactly the same as the source.\n\n```console\n$ ls -lart /etc/test/scripts\ntotal 20\n-rwxrwxrwx 1 root root 11 May 22 12:15 chmod-777.sh\n-rw-rw-rw- 1 root root 11 May 22 12:16 chmod-666.sh\n-rw-rw-r-- 1 root root 11 May 22 12:19 chmod-664.sh\ndrwxr-xr-x 3 root root 4096 May 22 13:00 ..\ndrwxr-xr-x 2 root root 4096 May 22 13:00 .\n```\n\n\n## Solution\nTo prevent world-writable files from making it into the packages, add the ability to override the default permissions of packaged files using a umask config option in the packaging spec file. This feature in nfpm would allow applying a global umask across any files being packaged, therefore, with the correct configuration, preventing world-writable files without needing to list permissions on each and every file in the package\n\n\n### Impact\n\nVulnerability is https://cwe.mitre.org/data/definitions/276.html\nhttps://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\n\nAnyone using nfpm for creating packages and not checking/setting file permissions before packaging could result in bad permissions for files/folders.",
"id": "GHSA-w7jw-q4fg-qc4c",
"modified": "2024-05-20T21:52:23Z",
"published": "2023-05-24T17:30:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32698"
},
{
"type": "WEB",
"url": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30"
},
{
"type": "PACKAGE",
"url": "https://github.com/goreleaser/nfpm"
},
{
"type": "WEB",
"url": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "nfpm has incorrect default permissions"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.