Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 06 Mar 2011 21:31:25 +0700
From: Pavel Labushev <p.labushev@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request -- logrotate -- nine issues

06.03.2011 19:26, Solar Designer пишет:

> For this to happen, you need to post info on the specific issues and
> request CVEs for them.  Will you do this, please?  (Perhaps start a new
> thread, or even a thread per package - that's up to you.)

I mean we shouldn't sweep the logrotate issues under the carpet, even if
logrotate wasn't suppose to handle such use cases initially. I have an
impression that's what you suggest. I mean this:

> The rest, as described, appear to rely on sysadmin error and to assume
> security properties that logrotate never advertised it had.

and

> Indeed.  A vulnerability in the service package, in my opinion.  Now
> that would require CVE id assignment and a fix to the package, whereas
> logrotate could merely use some hardening with no CVE ids (except for
> issue #8, which was different).

So I think all the logrotate issues should get their CVEs with an advise to
work around misuse cases by chowning the log directories root:root.

The Gentoo issues, I think they don't need CVEs and will be fixed by the
Gentoo security team (they are aware). The point was to show the misuse
cases are common.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ