Summary
gcm-linux_amd64.2.4.1.deb installs as follows:
$ ls -ln /usr/local/bin/git-credential-manager
lrwxrwxrwx 1 1001 998 40 Nov 1 15:31 /usr/local/bin/git-credential-manager -> ../share/gcm-core/git-credential-manager
$ ls -lan /usr/local/share/gcm-core/
total 85064
drwxr-xr-x 2 1001 998 4096 Apr 5 17:58 .
drwxr-xr-x 9 0 0 4096 Apr 5 17:58 ..
-rwxr-xr-x 1 1001 998 2597 Nov 1 15:31 NOTICE
-rwxr-xr-x 1 1001 998 76233138 Nov 1 15:31 git-credential-manager
-rwxr-xr-x 1 1001 998 1607016 Nov 1 15:31 libHarfBuzzSharp.so
-rwxr-xr-x 1 1001 998 9240832 Nov 1 15:31 libSkiaSharp.so
This directory and these files should be owned by root:root, not 1001:998. Otherwise uid 1001 is able to replace /usr/local/share/gcm-core/git-credential-manager. In this case they can place untrusted code that could be executed by any other user of the system.
In addition, please see #1567 : because this package is not in an officially hosted repository (e.g. Debian, Ubuntu, packages.microsoft.com, etc.) it means that users can't easily upgrade it in the face of security issues like this one or others.
Details
Somewhere along the line, https://github.com/git-ecosystem/git-credential-manager/blob/main/src/linux/Packaging.Linux/pack.sh should be ensuring that the uid/gid on all files and directories in the package is root:root.
In addition, this package doesn't comply with the Filesystem Hierarchy Standard:
git-credential-manager should be in /usr/bin, not /usr/local/bin;
/usr/local/share/gcm-core should be /usr/share/gcm-core.
Impact
User 1001 on a multi-user system can replace binary and gain other users' privileges
Note this only affects the Debian package and therefor Mac and Windows users are unaffected. In addition only multi-user Linux systems where the installation method was the Debian package are affected.
Fixed versions
This issue is fixed as of version 2.5.0.
jim-minter Reporter
Summary
gcm-linux_amd64.2.4.1.deb installs as follows:
$ ls -ln /usr/local/bin/git-credential-manager
lrwxrwxrwx 1 1001 998 40 Nov 1 15:31 /usr/local/bin/git-credential-manager -> ../share/gcm-core/git-credential-manager
$ ls -lan /usr/local/share/gcm-core/
total 85064
drwxr-xr-x 2 1001 998 4096 Apr 5 17:58 .
drwxr-xr-x 9 0 0 4096 Apr 5 17:58 ..
-rwxr-xr-x 1 1001 998 2597 Nov 1 15:31 NOTICE
-rwxr-xr-x 1 1001 998 76233138 Nov 1 15:31 git-credential-manager
-rwxr-xr-x 1 1001 998 1607016 Nov 1 15:31 libHarfBuzzSharp.so
-rwxr-xr-x 1 1001 998 9240832 Nov 1 15:31 libSkiaSharp.so
This directory and these files should be owned by root:root, not 1001:998. Otherwise uid 1001 is able to replace /usr/local/share/gcm-core/git-credential-manager. In this case they can place untrusted code that could be executed by any other user of the system.
In addition, please see #1567 : because this package is not in an officially hosted repository (e.g. Debian, Ubuntu, packages.microsoft.com, etc.) it means that users can't easily upgrade it in the face of security issues like this one or others.
Details
Somewhere along the line, https://github.com/git-ecosystem/git-credential-manager/blob/main/src/linux/Packaging.Linux/pack.sh should be ensuring that the uid/gid on all files and directories in the package is root:root.
In addition, this package doesn't comply with the Filesystem Hierarchy Standard:
git-credential-manager should be in /usr/bin, not /usr/local/bin;
/usr/local/share/gcm-core should be /usr/share/gcm-core.
Impact
User 1001 on a multi-user system can replace binary and gain other users' privileges
Note this only affects the Debian package and therefor Mac and Windows users are unaffected. In addition only multi-user Linux systems where the installation method was the Debian package are affected.
Fixed versions
This issue is fixed as of version 2.5.0.