GO-2023-1788

Source

https://pkg.go.dev/vuln/GO-2023-1788

Import Source

https://vuln.go.dev/ID/GO-2023-1788.json

Aliases

Published

2023-06-01T21:27:40Z

Modified

2023-11-08T04:12:36.189972Z

Details

When nfpm packages files without additional configuration to enforce its own permissions, the files could be packaged with incorrect permissions (chmod 666 or 777). Anyone who uses nfpm to create packages and does not check or set file permissions before packaging could result in files or folders being packaged with incorrect permissions.

References

Affected packages

Go / github.com/goreleaser/nfpm/v2

Package

Name: github.com/goreleaser/nfpm/v2

Affected ranges

Type: SEMVER
Events: Introduced

2.0.0

Fixed

2.29.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/goreleaser/nfpm/v2",
            "symbols": [
                "Config.Validate",
                "Info.Validate",
                "Parse",
                "ParseFile",
                "ParseFileWithEnvMapping",
                "ParseWithEnvMapping",
                "PrepareForPackager",
                "Validate",
                "WithDefaults"
            ]
        },
        {
            "path": "github.com/goreleaser/nfpm/v2/files",
            "symbols": [
                "Content.WithFileInfoDefaults",
                "PrepareForPackager",
                "addGlobbedFiles",
                "addTree"
            ]
        }
    ]
}