2211030 – (CVE-2023-32698) CVE-2023-32698 nFPM: creating packages without checking file permissions results in bad permission

Bug 2211030 (CVE-2023-32698) - CVE-2023-32698 nFPM: creating packages without checking file permissions results in bad permission

Summary: CVE-2023-32698 nFPM: creating packages without checking file permissions resu...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2023-32698
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2211031
TreeView+	depends on / blocked

Reported:	2023-05-30 10:32 UTC by msiddiqu
Modified:	2023-05-31 23:12 UTC (History)
CC List:	0 users
Fixed In Version:	nfpm 2.29.0
Clone Of:
Environment:
Last Closed:	2023-05-31 23:12:22 UTC
Embargoed:

Attachments	(Terms of Use)

Description msiddiqu 2023-05-30 10:32:43 UTC

nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.

References: 
 
https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30	
https://github.com/goreleaser/nfpm/releases/tag/v2.29.0	
https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c

Comment 1 Product Security DevOps Team 2023-05-31 23:12:20 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-32698

Note You need to log in before you can comment on or make changes to this bug.