Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 27 Oct 2016 05:08:21 -0300
From: Dawid Golunski <>
To: Solar Designer <>
Subject: Re: CVE-2016-1240 - Tomcat packaging on Debian-based
 distros - Local Root Privilege Escalation

Hi Alexander,

On Wed, Oct 26, 2016 at 2:39 PM, Solar Designer <> wrote:
> Dawid,
> On Wed, Oct 26, 2016 at 02:05:11AM -0300, Dawid Golunski wrote:
>> I added a simple PoC video for the CVE-2016-1240 vulnerability.
>> In the PoC I used Ubuntu 16.04 with the latest tomcat7 package
>> (version: 7.0.68-ubuntu-0.1) installed from the default ubuntu repos
>> which appears vulnerable still.
>> The video poc can be found at:
> You call out distro vendors on very real security issues.  In fact,
> those distros should be embarrassed to still have previous millennium's
> issues like this, which are trivial to spot.  It probably means that
> their security teams are too disconnected from their packagers, and are
> not proactive.  You also bring this valuable information to the
> oss-security community.  Thank you for this.

>From the feedback I got and my observations it seems that a lot of
people are not aware
of the default link following behaviour of the chown command. Perhaps
that also explains (not saying justifies)
why the vulnerabilities I reported have stayed hidden for a while.
Luckily, there is the protected_symlinks kernel feature which would
protect against similar issues in case of temporary directories
with sticky bit nowadays but obviously it can't be treated as a magic
cure to all the symlink issues.
Hopefully the advisories and the video will increase the awareness of this.

> However, as you probably realize, you also abuse this mailing list to
> promote your website, at the expense of not including full detail in
> your postings themselves.  As I pointed out to you before, oss-security
> content guidelines:

The last post was a follow up to my previous post
which I thought actually had enough basic details in it for people to
make a decision if they want to know more details and see the full
exploit etc.
It's often easier to have/maintain one central version of an advisory
rather than having a separate version on each forum etc.
That was my reasoning behind it anyway.

As to posting to multiple groups I use BCC , not CC, unless in error
due to rush or just being underslept (notice the 5am in the video :)

As to the future posting, obviously I can't speak for the others who
also prefer short description + external link format but I'll try to
remember to make an extended description/attach full advisory to the
message when posting to oss-sec. Other groups seem more relaxed in
this regard so it is easy to forget when posting to multiple groups.

Thanks for the reminders and for putting your efforts into maintaining the list.

Dawid Golunski

> include this:
> "At least the most essential part of your message (e.g., vulnerability
> detail and/or exploit) should be directly included in the message itself
> (and in plain text), rather than only included by reference to an
> external resource.  Posting links to relevant external resources as well
> is acceptable, but posting only links is not.  Your message should remain
> valuable even with all of the external resources gone."
> I realize you couldn't have reasonably included a video (arguably, this
> means that a video is of little interest to oss-security, unless the
> information in it is unique and is not also available in text form), but
> you also violated this guideline in these related postings (which I
> appreciated otherwise):
> In those, you refer to very detailed advisories placed on your website,
> but you don't include the advisory texts in the postings themselves.
> You must be doing just that - in message body or text/plain attachments,
> please.  Will you correct this going forward?  (It is OK to also include
> URLs to your website, thereby promoting it, but not at the expense of
> the level of detail in the messages themselves.)
> If you continue to post link-mostly messages, we'll have the tough
> choice between:
> 1. Let you post those anyway, and ignore the problem.  Unfortunately,
> this is likely to result in some others doing the same more.  (OTOH, it
> will also keep reminding people of just how bad it is not to have detail
> right in the messages.)
> 2. Look for a volunteer who would post follow-ups or replacements to
> your postings, with actual detail in them.  (In fact, we could need a
> volunteer like this anyway, since non-detailed postings do happen once
> in a while, not only by you.)
> 3. Reject your postings (for them violating the content guidelines), but
> that's counter-productive because the linked-to information is actually
> on-topic and valuable to this community (thank you for it, again!)
> Another guideline you violate is this:
> "Please don't cross-post messages to oss-security and other mailing
> lists at once, especially not to high-volume lists such as LKML and
> netdev, as this tends to result in threads that wander partially or
> fully off-topic (e.g., Linux kernel coding style detail may end up being
> discussed in comments to a patch posted to LKML, but it would be
> off-topic for oss-security).  If you feel that something needs to be
> posted to oss-security and to another list, please make separate
> postings.  You may mention the other posting(s) in your oss-security
> posting, and even link to other lists' archives."
> It's less important since you're only CC'ing security-focused lists so
> far, but I would appreciate it if you avoid the CC's anyway.
> Thanks,
> Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.