[DRE-maint] Bug#866862: diaspora-installer: installs world-writable ruby libraries

Andreas Beckmann anbe at debian.org
Sun Jul 2 09:24:43 UTC 2017 

Package: diaspora-installer
Version: 0.6.6.0+debian1
Severity: grave
Tags: security
Justification: user security hole
User: debian-qa at lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package installs
world-writable files, including a bunch of .rb scripts, allowing
unprivileged local users to "customize" your diaspora experience.

Since this is a downloader package, it needs to sanitize the
stuff it downloads and installs from the net.

>From the attached log (scroll to the bottom...):

  ERROR: BAD PERMISSIONS
  -rw-rw-rw- 1 diaspora nogroup 1935 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/configurate-0.3.1/lib/configurate/lookup_chain.rb
  -rw-rw-rw- 1 diaspora nogroup  154 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/.gitignore
  -rw-rw-rw- 1 diaspora nogroup  242 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/.travis.yml
  -rw-rw-rw- 1 diaspora nogroup   98 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/Gemfile
  -rw-rw-rw- 1 diaspora nogroup 1069 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/LICENSE.txt
  -rw-rw-rw- 1 diaspora nogroup 3354 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/README.md
  -rw-rw-rw- 1 diaspora nogroup  233 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/Rakefile
  -rw-rw-rw- 1 diaspora nogroup  918 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/lib/request_store.rb
  -rw-rw-rw- 1 diaspora nogroup  233 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/lib/request_store/middleware.rb
  -rw-rw-rw- 1 diaspora nogroup  785 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/lib/request_store/railtie.rb
  -rw-rw-rw- 1 diaspora nogroup   44 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/lib/request_store/version.rb
  -rw-rw-rw- 1 diaspora nogroup  943 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/request_store.gemspec
  -rw-rw-rw- 1 diaspora nogroup  981 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/test/middleware_test.rb
  -rw-rw-rw- 1 diaspora nogroup 1607 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/test/request_store_test.rb
  -rw-rw-rw- 1 diaspora nogroup  267 Jun 29 20:22 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/request_store-1.3.2/test/test_helper.rb
  -rw-rw-rw- 1 diaspora nogroup 3255 Jun 29 20:24 /var/lib/diaspora/vendor/bundle/ruby/2.3.0/gems/twitter-text-1.14.5/README.md


cheers,

Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diaspora-installer_0.6.6.0+debian1.log.gz
Type: application/gzip
Size: 62085 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20170702/79a5bf6c/attachment-0001.bin>

More information about the Pkg-ruby-extras-maintainers mailing list