Ohai everyone,
We have released Omnibus 2.0.2 and Omnibus 3.2.2 to address an issue in which the contents of Omnibus-built Debian and Ubuntu packages are being installed with an arbitrary non-root UID and GID. This issue would allow a user with that UID and GID to replace the contents of the installed files and have them be executed by root. All Omnibus 2 and Omnibus 3 projects building for Debian or Ubuntu should be upgraded.
Omnibus 4, which is available as a prerelease version, is not affected.
We have released related updates to our existing software packages built with Omnibus. See Affected Products for further details.
Prior to this release, Omnibus 2 and Omnibus 3 defaults did not specify a target package user or group for Debian packages. The files bundled into the resulting .deb package kept the UID/GID of the executing process.
Installing one of these Omnibus-built Debian-style (.deb) packages creates files in the installation directory that are owned by user-space UIDs, such as UID/GID 999 or UID/GID 1001, instead of UID/GID 0 (root). An unprivileged user on the install system with the same UID/GID would be able to change file contents to execute arbitrary commands as the user running an application thus installed.
Omnibus packages in which a target package user or group has been specified with `package_user` or `package_group` are not affected. RPM packages are not affected as their target package user and group have always defaulted to UID/GID 0.