Skip to content

Debian package does not set root ownership on installed files

Moderate
mjcheetham published GHSA-3c3g-h9rx-f7vq Apr 18, 2024

Package

Git Credential Manager

Affected versions

< 2.4.x

Patched versions

2.5.0

Description

Summary

gcm-linux_amd64.2.4.1.deb installs as follows:

$ ls -ln /usr/local/bin/git-credential-manager
lrwxrwxrwx 1 1001 998 40 Nov 1 15:31 /usr/local/bin/git-credential-manager -> ../share/gcm-core/git-credential-manager

$ ls -lan /usr/local/share/gcm-core/
total 85064
drwxr-xr-x 2 1001 998 4096 Apr 5 17:58 .
drwxr-xr-x 9 0 0 4096 Apr 5 17:58 ..
-rwxr-xr-x 1 1001 998 2597 Nov 1 15:31 NOTICE
-rwxr-xr-x 1 1001 998 76233138 Nov 1 15:31 git-credential-manager
-rwxr-xr-x 1 1001 998 1607016 Nov 1 15:31 libHarfBuzzSharp.so
-rwxr-xr-x 1 1001 998 9240832 Nov 1 15:31 libSkiaSharp.so

This directory and these files should be owned by root:root, not 1001:998. Otherwise uid 1001 is able to replace /usr/local/share/gcm-core/git-credential-manager. In this case they can place untrusted code that could be executed by any other user of the system.

In addition, please see #1567 : because this package is not in an officially hosted repository (e.g. Debian, Ubuntu, packages.microsoft.com, etc.) it means that users can't easily upgrade it in the face of security issues like this one or others.

Details

Somewhere along the line, https://github.com/git-ecosystem/git-credential-manager/blob/main/src/linux/Packaging.Linux/pack.sh should be ensuring that the uid/gid on all files and directories in the package is root:root.

In addition, this package doesn't comply with the Filesystem Hierarchy Standard:

git-credential-manager should be in /usr/bin, not /usr/local/bin;
/usr/local/share/gcm-core should be /usr/share/gcm-core.

Impact

User 1001 on a multi-user system can replace binary and gain other users' privileges

Note this only affects the Debian package and therefor Mac and Windows users are unaffected. In addition only multi-user Linux systems where the installation method was the Debian package are affected.

Fixed versions

This issue is fixed as of version 2.5.0.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
High
Privileges required
High
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

CVE ID

CVE-2024-32478

Weaknesses

No CWEs

Credits