Date: Fri, 11 Mar 2011 15:37:56 +0100 From: Ludwig Nussel <ludwig.nussel@...e.de> To: oss-security@...ts.openwall.com Subject: Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl wrote: > > On Thu, Mar 10, 2011 at 07:08:38PM +0100, Florian Zumbiehl wrote: > > > What about these?: > > > > > > | However, I think that still #6 (shell injection) and #7 (logrotate > > > | DoS with strange characters in file names) should be considered > > > | vulnerabilities in logrotate: It would be reasonable to assume that you > > > | can use user input that's a valid (slash-less) filename as a (part of a) > > > | log file name (assuming that the program is running as the same user that > > > | inspects and rotates the logs, so the log directory being writable by > > > | the program would not be insecure per-se) without that file name being > > > | interpreted by a shell or causing logrotate to stop functioning, > > > | respectively. > [...] > > To summarize, it feels like in theory a privilege boundary could exist > > here and be crossed on certain systems with extra software, but in > > practice this is unlikely and it would indicate poor design of another > > piece of software or/and false sense of security put into that privilege > > boundary. I don't know what this means for CVE id assignment per the > > current "rules". > > I was thinking more in the direction of an existing config that includes > a wildcard and software that uses user input to construct file names > that would be matched by that wildcard. An example of such software > would be samba, which tends to create per-client-host log files named > after those hosts. I don't have a clue whether samba could be made to > include any shell meta characters (does it even do reverse lookups for > that?), but I guess you get the idea. libvirt constructs log file names from user input (log file name = VM name). The user needs to have the org.libvirt.unix.manage privilege which bascially already is full root though. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ