After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 707139 - repo: Only apply setuid/xattrs after checksum validation
repo: Only apply setuid/xattrs after checksum validation
Status: RESOLVED FIXED
Product: ostree
Classification: Infrastructure
Component: general
unspecified
Other All
: Normal normal
: ---
Assigned To: OSTree maintainer(s)
OSTree maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2013-08-30 16:18 UTC by Colin Walters
Modified: 2013-09-02 19:37 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
repo: Only apply setuid/xattrs after checksum validation (8.42 KB, patch)
2013-08-30 16:18 UTC, Colin Walters 		none Details | Review
repo: Only apply setuid/xattrs after checksum validation (8.42 KB, patch)
2013-08-30 16:33 UTC, Colin Walters 		committed Details | Review

Description Colin Walters 2013-08-30 16:18:03 UTC 
See the new comment in the source; basically if we're fetching content
over http, then someone with the capability to MITM the network could
create a transient setuid binary on disk with arbitrary content.  If
they also had a process running on the system (such as an application)
it could be escalated to root.
Comment 1 Colin Walters 2013-08-30 16:18:05 UTC 
Created attachment 253630 [details] [review]
repo: Only apply setuid/xattrs after checksum validation
Comment 2 Colin Walters 2013-08-30 16:33:55 UTC 
Created attachment 253633 [details] [review]
repo: Only apply setuid/xattrs after checksum validation

Rebased correctly
Comment 3 Jeremy Whiting 2013-09-02 19:01:35 UTC 
Looks good to me, go for it.
Comment 4 Colin Walters 2013-09-02 19:37:19 UTC 
Attachment 253633 [details] pushed as dd7d2f7 - repo: Only apply setuid/xattrs after checksum validation