Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 Jan 2013 17:53:38 -0700
From: Kurt Seifried <>
Subject: Re: [Security hardening] [Notification] haproxy (previously)
 failed to drop supplementary groups after setuid / setgid calls properly

Hash: SHA1

On 01/23/2013 09:25 AM, Jan Lieskovsky wrote:
> Hello vendors,
> just FYI notification that haproxy upstream has recently corrected
> [2] improper dropping of supplementary groups [1] after setuid /
> setgid calls.
> We have further investigated this issue and have reasons to believe
> that by itself this is NOT a security issue (another flaw would
> need to be found in haproxy this to be actually possible to use for
> something interesting).
> For now we are considering this fix to be a preventive measure /
> security hardening (but took the time to notify you explicitly
> about this as you might still want to backport it into affected
> versions).
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> P.S.: [1] [2]

So to be clear: haproxy fails to properly drop group privileges. Why
isn't this classified as a security vulnerability?

Well there is no way to exploit this that we're aware of, if you know
a way to exploit this please let us know.

What would make this a security vulnerability? Let's say for example
haproxy had an option to read or write to a file and did this with the
privileges it failed to drop (granting the attacker privilege
escalation) then it would be a security vulnerability.

So again, if you know of a way to exploit this please let us know,
otherwise we will continue to consider this a security hardening issue
and not a security vulnerability.

So as for this tweet:

"@chort0 … I didn't know about
that claim -- I guess it explains why such great effort was made to
not call it a vuln"

I wasn't aware of this claim by haproxy and to be honest I don't care.
I assigned something like 1,600 CVE's last year, trust me, I'm not
afraid to annoy people by assigning CVEs that might embarrass them.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Version: GnuPG v1.4.13 (GNU/Linux)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.