Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 06 Mar 2011 21:31:25 +0700
From: Pavel Labushev <p.labushev@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request -- logrotate -- nine issues

06.03.2011 19:26, Solar Designer пишет:

> For this to happen, you need to post info on the specific issues and
> request CVEs for them.  Will you do this, please?  (Perhaps start a new
> thread, or even a thread per package - that's up to you.)

I mean we shouldn't sweep the logrotate issues under the carpet, even if
logrotate wasn't suppose to handle such use cases initially. I have an
impression that's what you suggest. I mean this:

> The rest, as described, appear to rely on sysadmin error and to assume
> security properties that logrotate never advertised it had.

and

> Indeed.  A vulnerability in the service package, in my opinion.  Now
> that would require CVE id assignment and a fix to the package, whereas
> logrotate could merely use some hardening with no CVE ids (except for
> issue #8, which was different).

So I think all the logrotate issues should get their CVEs with an advise to
work around misuse cases by chowning the log directories root:root.

The Gentoo issues, I think they don't need CVEs and will be fixed by the
Gentoo security team (they are aware). The point was to show the misuse
cases are common.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.