Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Mar 2011 17:17:48 +0300
From: Solar Designer <solar@...nwall.com>
To: Florian Zumbiehl <florz@...rz.de>
Cc: oss-security@...ts.openwall.com, Josh Bressers <bressers@...hat.com>,
	"Steven M. Christey" <coley@...us.mitre.org>,
	Stefan Fritsch <sf@...itsch.de>, Petr Uzel <petr.uzel@...e.cz>,
	Thomas Biege <thomas@...e.de>, Jan Kalu??a <jkaluza@...hat.com>
Subject: Re: CVE Request -- logrotate -- nine issues

On Thu, Mar 10, 2011 at 10:32:43PM +0100, Florian Zumbiehl wrote:
> > > | However, I think that still #6 (shell injection) and #7 (logrotate
> > > | DoS with strange characters in file names) should be considered
> > > | vulnerabilities in logrotate: ...
[...]
> I was thinking more in the direction of an existing config that includes
> a wildcard and software that uses user input to construct file names
> that would be matched by that wildcard. An example of such software
> would be samba, which tends to create per-client-host log files named
> after those hosts. I don't have a clue whether samba could be made to
> include any shell meta characters (does it even do reverse lookups for
> that?), but I guess you get the idea.

This makes sense, and I agree that it's a reason for logrotate to treat
log filenames as potentially untrusted input.  It's probably also a
reason to get CVE ids assigned.

Thank you for explaining the attack vector here!

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ