Friday, September 19, 2014

Security Releases: Omnibus 2.0.2 and 3.2.2 (insecure file ownership in Omnibus-built Debian and Ubuntu packages) [feedly]



----
Security Releases: Omnibus 2.0.2 and 3.2.2 (insecure file ownership in Omnibus-built Debian and Ubuntu packages)
// Chef Blog

Ohai everyone,

We have released Omnibus 2.0.2 and Omnibus 3.2.2 to address an issue in which the contents of Omnibus-built Debian and Ubuntu packages are being installed with an arbitrary non-root UID and GID. This issue would allow a user with that UID and GID to replace the contents of the installed files and have them be executed by root. All Omnibus 2 and Omnibus 3 projects building for Debian or Ubuntu should be upgraded.

Omnibus 4, which is available as a prerelease version, is not affected.

We have released related updates to our existing software packages built with Omnibus. See Affected Products for further details.

Description

Prior to this release, Omnibus 2 and Omnibus 3 defaults did not specify a target package user or group for Debian packages. The files bundled into the resulting .deb package kept the UID/GID of the executing process.

Installing one of these Omnibus-built Debian-style (.deb) packages creates files in the installation directory that are owned by user-space UIDs, such as UID/GID 999 or UID/GID 1001, instead of UID/GID 0 (root). An unprivileged user on the install system with the same UID/GID would be able to change file contents to execute arbitrary commands as the user running an application thus installed.

Omnibus packages in which a target package user or group has been specified with package_user or package_group are not affected.  RPM packages are not affected as their target package user and group have always defaulted to UID/GID 0.

Affected Versions

  • (supported) All versions of Omnibus 2 and Omnibus 3.
  • (deprecated) All versions of Omnibus 1 since 1.1.0.

Build Platforms

  • Ubuntu Linux
  • Debian Linux

Remediation

  • Option 1: In the main directory of your Omnibus project, run bundle update omnibus to update your installation of the Omnibus gem and its dependencies. If you do not wish to update a dependency of Omnibus, you may need to adjust the version of that dependency set in your Gemfile and/or Gemfile.lock. You will also need to set file ownership in a post-install script in order to fix package upgrades to an existing installation, e.g. chown -Rh 0:0 $INSTALLER_DIR
  • Option 2: Set package_user and package_group appropriately in the configuration file for your Omnibus project. You will also need to set file ownership in a post-install script in order to fix package upgrades to an existing installation, e.g. chown -Rh 0:0 $INSTALLER_DIR

Affected Products


----

Shared via my feedly reader


Sent from my iPhone

No comments:

Post a Comment