I am publicly disclosing fusionforge CVE-2013-1423 today. On the 25th of January I reported one of these issues to the Debian security team and the fusionforge maintainers. In the process of fixing the issue a number of further issues surfaced. All of these issues currently covered by the single CVE-2013-1423 have in common that they related to privileged operations not properly checking their environment and thus leading to privilege escalation. Let me give an easy to exploit example. Quoting deb-specific/user_dump_update.pl (fusionforge 5.2-1): | $home_dir = $homedir_prefix.'/'.$username; | unless (-d $home_dir.'/incoming') { | mkdir $home_dir.'/incoming', 0755; | } | | my $realuid=get_file_owner_uid($home_dir); | if ($uid eq $realuid){ | system("chown $uid $home_dir/incoming"); | system("chmod 0755 $home_dir/incoming"); This code is executed as root in a cron job. By replacing ~/incoming with a hard link to some other file (.e.g. an .ssh/authorized_keys file from a different user) an attacker can gain ownership of files. The initial report related to plugins/scmcvs/cronjobs/ssh_create.php which contained a chown to ~user/.ssh which is user controlled. Most of the issues relate to usage of chown or chmod on objects controlled by a user. These issues have been avoided carrying out operations on user controlled files with the effective permission of the user (seteuid). Another source was TOCTOU race conditions which have been avoided by using O_EXCL which is file mode "x" in php. Also some file permission were only fixed after closing the file (information disclosure) which is now done at open time by using umask. Roland Mas iteratively updated the sources with me giving feedback on issues. The resulting patches have been commited to the respective git branches. Please have a look at those patches for further details. 5.0: https://fusionforge.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=fusionforge/fusionforge.git;a=commitdiff;h=0cc51b3aca51fa915a35195fdf729bcdb903f2af 5.1: https://fusionforge.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=fusionforge/fusionforge.git;a=commitdiff;h=9937b9d94ab60ff67fe249c1b9a6c8e3fc1778ba 5.2: https://fusionforge.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=fusionforge/fusionforge.git;a=commitdiff;h=1fc730b97c797e03b89cd37823ab345d35286cf4 Here is a list of files affected: contrib/gforge-3.0-cronjobs.patch (removed) cronjobs/homedirs.php deb-specific/fileforge.pl (removed) deb-specific/group_dump_update.pl deb-specific/ssh_dump_update.pl deb-specific/user_dump_update.pl plugins/scmbzr/common/BzrPlugin.class.php plugins/scmcvs/common/CVSPlugin.class.php plugins/scmcvs/cronjobs/cvs.php plugins/scmcvs/cronjobs/ssh_create.php plugins/scmgit/common/GitPlugin.class.php plugins/scmsvn/common/SVNPlugin.class.php plugins/wiki/cronjobs/create_groups.php utils/cvs1/cvscreate.sh (removed) utils/include.pl Finally I would like to thank Roland Mas for his thorough work on these issues, his quick reaction and the nice interaction. Helmut