Package: yadm
Version: 1.10.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
Dear Maintainer,
In its default configuration, yadm ensures that .ssh/ and .gnupg/ files are
readable by the owner only. That is implemented by running 'chmod' on the
files after they have been created:
https://sources.debian.net/src/yadm/1.10.0-1/yadm/#L671
That way has a race condition: whilst the git worktree is being checked out,
the .ssh and .gnupg files have the permissions of the user's umask. I added a
debug printf just before the 'chmod' and it showed .ssh/ and .ssh/config having
permissions «u=rwX,go=rX», i.e., world readable.
I tested in an uptodate sid chroot.
(I'm leaving the severity as 'grave' since I figure the vulnerability window
may be long in setups where the tree being checked out is large.)
Cheers,
Daniel