Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 06 Mar 2011 21:31:25 +0700
From: Pavel Labushev <>
Subject: Re: CVE Request -- logrotate -- nine issues

06.03.2011 19:26, Solar Designer пишет:

> For this to happen, you need to post info on the specific issues and
> request CVEs for them.  Will you do this, please?  (Perhaps start a new
> thread, or even a thread per package - that's up to you.)

I mean we shouldn't sweep the logrotate issues under the carpet, even if
logrotate wasn't suppose to handle such use cases initially. I have an
impression that's what you suggest. I mean this:

> The rest, as described, appear to rely on sysadmin error and to assume
> security properties that logrotate never advertised it had.


> Indeed.  A vulnerability in the service package, in my opinion.  Now
> that would require CVE id assignment and a fix to the package, whereas
> logrotate could merely use some hardening with no CVE ids (except for
> issue #8, which was different).

So I think all the logrotate issues should get their CVEs with an advise to
work around misuse cases by chowning the log directories root:root.

The Gentoo issues, I think they don't need CVEs and will be fixed by the
Gentoo security team (they are aware). The point was to show the misuse
cases are common.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.