Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Mar 2011 15:37:56 +0100
From: Ludwig Nussel <>
Subject: Re: CVE Request -- logrotate -- nine issues

Florian Zumbiehl wrote:
> > On Thu, Mar 10, 2011 at 07:08:38PM +0100, Florian Zumbiehl wrote:
> > > What about these?:
> > > 
> > > | However, I think that still #6 (shell injection) and #7 (logrotate
> > > | DoS with strange characters in file names) should be considered
> > > | vulnerabilities in logrotate: It would be reasonable to assume that you
> > > | can use user input that's a valid (slash-less) filename as a (part of a)
> > > | log file name (assuming that the program is running as the same user that
> > > | inspects and rotates the logs, so the log directory being writable by
> > > | the program would not be insecure per-se) without that file name being
> > > | interpreted by a shell or causing logrotate to stop functioning,
> > > | respectively.
> [...]
> > To summarize, it feels like in theory a privilege boundary could exist
> > here and be crossed on certain systems with extra software, but in
> > practice this is unlikely and it would indicate poor design of another
> > piece of software or/and false sense of security put into that privilege
> > boundary.  I don't know what this means for CVE id assignment per the
> > current "rules".
> I was thinking more in the direction of an existing config that includes
> a wildcard and software that uses user input to construct file names
> that would be matched by that wildcard. An example of such software
> would be samba, which tends to create per-client-host log files named
> after those hosts. I don't have a clue whether samba could be made to
> include any shell meta characters (does it even do reverse lookups for
> that?), but I guess you get the idea.

libvirt constructs log file names from user input (log file name =
VM name). The user needs to have the org.libvirt.unix.manage
privilege which bascially already is full root though.


 (o_   Ludwig Nussel
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ