CVE-2023-32698

Name of the Vulnerable Software and Affected Versions nfpm (affected versions not specified)

Description The issue arises when nfpm packages files without maintaining the original file permissions from the source control. This can result in files being packaged with incorrect permissions, such as chmod 666 or 777, if no extra configuration is provided to enforce its own permissions. Anyone using nfpm to create packages without checking or setting file permissions before packaging could end up with files or folders having bad permissions.

Recommendations To prevent world-writable files from making it into the packages, add the ability to override the default permissions of packaged files using a umask config option in the packaging spec file. This feature in nfpm would allow applying a global umask across any files being packaged, therefore, with the correct configuration, preventing world-writable files without needing to list permissions on each and every file in the package.