Date: Tue, 8 Mar 2011 08:59:03 +0100 From: Ludwig Nussel <ludwig.nussel@...e.de> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org>, Stefan Fritsch <sf@...itsch.de>, Florian Zumbiehl <florz@...rz.de>, Petr Uzel <petr.uzel@...e.cz>, Thomas Biege <thomas@...e.de>, Jan Kaluža <jkaluza@...hat.com> Subject: Re: CVE Request -- logrotate -- nine issues Josh Bressers wrote: > [...] > It seems there is now a consensus on this (at least that's how I'm reading > it). Here is what I plan to do with CVE ids unless someone speaks up. > > As best as I can tell, logrotate only needs a CVE id for this: > > 8) Issue #8: logrotate: TOCTOU race condition by creation of new files > (between opening the file and moment, final permissions have been > applied) [information disclosure] > Ack. > We then will need to assign IDs for various broken uses of /var/log (If > someone has a list of the currently known ones, please pass it along) AFAICS on openSUSE Factory we have cobbler inn safte-monitor uucp service owned log dirs without logrotate: cups horde cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ