Bug#881749: redmine: creates world-writable tempdir /tmp/bundler/home

[duck]

Control: reassign -1 ruby-bundler
Control: tags -1 + security


Quack,

This repository is created by bundler, and there is no code in the 
redmine package specifying this repository, so this is using the default 
Bundler behavior.


In fact someone already reported about this directory being created and 
left over in #796383, without seeing the security implications.


Also I looked into the code and in /usr/lib/ruby/vendor_ruby/bundler.rb 
you can read the 'tmp_home_path' method:

  path = Pathname.new(Dir.tmpdir).join("bundler", "home")
  SharedHelpers.filesystem_access(path) do |tmp_home_path|
unless tmp_home_path.exist?
  tmp_home_path.mkpath
  tmp_home_path.chmod(0o777)

This is really horrible and I wonder how it was not found out earlier.

Anyway, reassigning and thanks for findind this out.
\_o<

--
Marc Dequènes

Bug#881749: redmine: creates world-writable tempdir /tmp/bundler/home

[Andreas Beckmann]

Package: redmine
Version: 3.3.1-4
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Control: affects -1 + redmine-sqlite redmine-mysql redmine-pgsql

Hi,

during a test with piuparts I noticed your package behaves strangely
while upgrading from 'stretch' to 'buster'.

There is currently no redmine in buster, so the stretch version (which
matches sid) is kept installed.

But after the upgrade an insecure temporary directory appears:

   /tmp/bundler/home

which is

 a) a predictable path name
 b) world writable

This directory does not show up after just an installation in stretch.

redmine(-*) are the only packages showing such behavior.


>From the attached log (scroll to the bottom...):

  ERROR: BAD PERMISSIONS
  drwxrwxrwx 3 www-data www-data 60 Nov 13 17:05 /tmp/bundler/home


cheers,


Andreas


redmine_None.log.gz
Description: application/gzip