Bug#881749: redmine: creates world-writable tempdir /tmp/bundler/home
Control: reassign -1 ruby-bundler Control: tags -1 + security Quack, This repository is created by bundler, and there is no code in the redmine package specifying this repository, so this is using the default Bundler behavior. In fact someone already reported about this directory being created and left over in #796383, without seeing the security implications. Also I looked into the code and in /usr/lib/ruby/vendor_ruby/bundler.rb you can read the 'tmp_home_path' method: path = Pathname.new(Dir.tmpdir).join("bundler", "home") SharedHelpers.filesystem_access(path) do |tmp_home_path| unless tmp_home_path.exist? tmp_home_path.mkpath tmp_home_path.chmod(0o777) This is really horrible and I wonder how it was not found out earlier. Anyway, reassigning and thanks for findind this out. \_o< -- Marc Dequènes
Bug#881749: redmine: creates world-writable tempdir /tmp/bundler/home
Package: redmine Version: 3.3.1-4 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Control: affects -1 + redmine-sqlite redmine-mysql redmine-pgsql Hi, during a test with piuparts I noticed your package behaves strangely while upgrading from 'stretch' to 'buster'. There is currently no redmine in buster, so the stretch version (which matches sid) is kept installed. But after the upgrade an insecure temporary directory appears: /tmp/bundler/home which is a) a predictable path name b) world writable This directory does not show up after just an installation in stretch. redmine(-*) are the only packages showing such behavior. >From the attached log (scroll to the bottom...): ERROR: BAD PERMISSIONS drwxrwxrwx 3 www-data www-data 60 Nov 13 17:05 /tmp/bundler/home cheers, Andreas redmine_None.log.gz Description: application/gzip