|
Message-ID: <20170705200345.GA1671@pali> Date: Wed, 5 Jul 2017 22:03:45 +0200 From: Pali Rohár <pali.rohar@...il.com> To: oss-security@...ts.openwall.com Cc: Ben Tasker <ben@...tasker.co.uk> Subject: Re: systemd fails to parse user that should run service On Wed, Jul 5, 2017 at 12:28, Ben Tasker wrote: > Honestly, I think upstream have done an *awful *job of handling it so far > (and it's far from the only example of Poettering taking the not-a-bug > approach questionably). Their issues do have a habit of attracting trolls, > but I think sometimes their definition of troll expands to include anyone > who doesn't agree with them. The worst is that fact that discussion about this problem was locked in upstream bugtracker. Therefore there is no other option as continue discussion about this, which I think security issue, here at oss-security list. But problem is that upstream do not have to monitor this list and therefore they would ignore any results. > FWIW, I'd be inclined to agree that it needs a CVE so that downstream > distro's can at least refer to it, and decide how (and if) they want to > address it. Even if they decide to stick with upstream's approach, having > the CVE at least gives them something to make sure package reviewers refer > to. >From the whole discussion (and not only there) it looks like that assigning CVE should be really done as more downstream distributions do not follow systemd's "allowed" characters in username and needs to handle this problem somehow. Either patching systemd or change validation for adding new user names into system... Is somebody going to ask Mitre for CVE? Or should it be done by Red Hat? Because upstream bug is locked, it is not possible to ask in upstream... > I think the approach SUSE has taken is pretty good, and it's basically the > kind of fix I'd have liked to see upstream put in place (though in their > case, the suggestion of a config var to define whether it's acceptable is > also a very good suggestion). -- Pali Rohár pali.rohar@...il.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.