Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 7 Mar 2011 15:25:37 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Solar Designer <solar@...nwall.com>, Florian Zumbiehl <florz@...rz.de>,
        "Steven M. Christey" <coley@...us.mitre.org>,
        Stefan Fritsch <sf@...itsch.de>, Jan Kaluza <jkaluza@...hat.com>,
        Paul Martin <pm@...ian.org>, Petr Uzel <petr.uzel@...e.cz>,
        Thomas Biege <thomas@...e.de>, Jan Lieskovsky <jlieskov@...hat.com>
Subject: Re: CVE Request -- logrotate -- nine issues

----- Original Message -----
> On Friday, March 04, 2011 12:52:14 pm Solar Designer wrote:
> > On Fri, Mar 04, 2011 at 12:05:02PM -0500, Steven M. Christey wrote:
> > > If there's a common usage scenario that doesn't stem from blatant
> > > administrator negligence, then a CVE is probably still appropriate.
> > > ("blatant admin negligence" might be, say, if an admin arbitrarily
> > > makes a script setuid, or modifies the perms for an executable or
> > > config file to be world-writable.)
> >
> > I think that "chmod 777 /var/log" is "blatant admin negligence". As to,
> > say, "chown nginx /var/log/nginx", it could be negligence or it could
> > be lack of familiarity with the risks involved. So I am willing to
> > admit that it's not necessarily negligence that turns those issues into
> > vulnerabilities on specific systems.
> >
> > > We will sometimes write the CVE description more as an "adminisrator
> > > practice" than as "fault of the software."
> >
> > Oh, this is something I did not realize. A lot of people assume that
> > CVEs "blame" the software and its authors for having made an error.
> >
> > It felt wrong, say, to blame a text editor for being unsafe to use on
> > files in untrusted directories when such unsafety was the typical and
> > expected situation for text editors in general.
> 
> So, where does that leave us for things like this? :
> 
> http://reverse.lostrealm.com/protect/ldd.html
> http://www.catonmat.net/blog/ldd-arbitrary-code-execution/
> 

Steve,

Can you start a new thread for that issue. This one is already hard enough
to follow, and I think it deserves attention on its own.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.