Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Binary installed world writeable (version 1.49.8), security problem #1

Open
mfechner opened this issue Oct 26, 2023 · 2 comments
Open

Binary installed world writeable (version 1.49.8), security problem #1

mfechner opened this issue Oct 26, 2023 · 2 comments

Comments

@mfechner
Copy link

Hi,

installing the module, installs the following file with worl writeable permission:

2674687 -rwxr-xrwx  1 root  wheel      453 Oct 23 19:06:06 2023 /usr/local/lib/ruby/gems/3.1/gems/dartsass-1.49.8/exe/darwin/sass
2681602 -rwxr-xrwx  1 root  wheel  4087248 Oct 23 19:06:06 2023 /usr/local/lib/ruby/gems/3.1/gems/dartsass-1.49.8/exe/darwin/src/dart
2681605 -rwxr-xrwx  1 root  wheel  9748296 Oct 23 19:06:06 2023 /usr/local/lib/ruby/gems/3.1/gems/dartsass-1.49.8/exe/linux/sass

Could you please install them not world writeable so with permission 755 instead of 757.
freebsd-git pushed a commit to freebsd/freebsd-ports that referenced this issue Oct 27, 2023
@mfechner
textproc/rubygem-dartsass: fix security problem
7182e7a 
The port installed file that are world writeable.
Fix this problem.

It is also reported upstream:
ayushn21/dartsass-ruby#1
@ayushn21
Copy link
Owner

ayushn21 commented Mar 4, 2024

Hey @mfechner sorry it took me so long to get to this.

I see the following access for each file in the repo: -rwxr-xr-x.

Maybe it's something weird with your specific installation? As far as I can tell the executables in the git repo have the right permissions. This isn't my area of expertise though so happy to follow your lead on this.

Please try to clone the repo and verify the permissions on the files.

@mfechner
Copy link
Author

mfechner commented Mar 7, 2024
edited

Hi @ayushn21 you can see the problem like this:

mkdir t2
cd t2
wget https://rubygems.org/downloads/dartsass-1.49.8.gem
tar xzvf dartsass-1.49.8.gem
tar tvf data.tar.gz
-rw-r--r--  0 wheel  wheel    1361 Feb 21  2022 LICENSE-DEPENDENCIES.md
-rw-r--r--  0 wheel  wheel     876 Feb 21  2022 README.md
-rwxr-xr-x  0 wheel  wheel     641 Feb 21  2022 exe/dartsass
-rwxr-xrwx  0 wheel  wheel     453 Feb 21  2022 exe/darwin/sass
-rw-r-xr--  0 wheel  wheel   78495 Feb 21  2022 exe/darwin/src/LICENSE
-rwxr-xrwx  0 wheel  wheel 4087248 Feb 21  2022 exe/darwin/src/dart
-rw-r-xr--  0 wheel  wheel 4702048 Feb 21  2022 exe/darwin/src/sass.snapshot
-rwxr-xrwx  0 wheel  wheel 9748296 Feb 21  2022 exe/linux/sass
-rw-r-xr--  0 wheel  wheel   78495 Feb 21  2022 exe/linux/src/LICENSE
-rw-r--r--  0 wheel  wheel     253 Feb 21  2022 exe/mingw32/sass.bat
-rw-r--r--  0 wheel  wheel   78515 Feb 21  2022 exe/mingw32/src/LICENSE
-rw-r--r--  0 wheel  wheel 4047360 Feb 21  2022 exe/mingw32/src/dart.exe
-rw-r--r--  0 wheel  wheel 4701888 Feb 21  2022 exe/mingw32/src/sass.snapshot
-rw-r--r--  0 wheel  wheel      88 Feb 21  2022 lib/dartsass-ruby.rb
-rw-r--r--  0 wheel  wheel      72 Feb 21  2022 lib/dartsass/version.rb

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ayushn21 @mfechner