----
Security Releases: Omnibus 2.0.2 and 3.2.2 (insecure file ownership in Omnibus-built Debian and Ubuntu packages)
// Chef Blog
Ohai everyone,
We have released Omnibus 2.0.2 and Omnibus 3.2.2 to address an issue in which the contents of Omnibus-built Debian and Ubuntu packages are being installed with an arbitrary non-root UID and GID. This issue would allow a user with that UID and GID to replace the contents of the installed files and have them be executed by root. All Omnibus 2 and Omnibus 3 projects building for Debian or Ubuntu should be upgraded.
Omnibus 4, which is available as a prerelease version, is not affected.
We have released related updates to our existing software packages built with Omnibus. See Affected Products for further details.
Description
Prior to this release, Omnibus 2 and Omnibus 3 defaults did not specify a target package user or group for Debian packages. The files bundled into the resulting .deb package kept the UID/GID of the executing process.Installing one of these Omnibus-built Debian-style (.deb) packages creates files in the installation directory that are owned by user-space UIDs, such as UID/GID 999 or UID/GID 1001, instead of UID/GID 0 (root). An unprivileged user on the install system with the same UID/GID would be able to change file contents to execute arbitrary commands as the user running an application thus installed.
Omnibus packages in which a target package user or group has been specified with package_user
or package_group
are not affected. RPM packages are not affected as their target package user and group have always defaulted to UID/GID 0.
Affected Versions
- (supported) All versions of Omnibus 2 and Omnibus 3.
- (deprecated) All versions of Omnibus 1 since 1.1.0.
Build Platforms
- Ubuntu Linux
- Debian Linux
Remediation
- Option 1: In the main directory of your Omnibus project, run
bundle update omnibus
to update your installation of the Omnibus gem and its dependencies. If you do not wish to update a dependency of Omnibus, you may need to adjust the version of that dependency set in your Gemfile and/or Gemfile.lock. You will also need to set file ownership in a post-install script in order to fix package upgrades to an existing installation, e.g.chown -Rh 0:0 $INSTALLER_DIR
- Option 2: Set
package_user
andpackage_group
appropriately in the configuration file for your Omnibus project. You will also need to set file ownership in a post-install script in order to fix package upgrades to an existing installation, e.g.chown -Rh 0:0 $INSTALLER_DIR
Affected Products
----
Shared via my feedly reader
Sent from my iPhone
No comments:
Post a Comment