oss-sec mailing list archives
Re: CVE Request -- logrotate -- nine issues
From: Pavel Labushev <p.labushev () gmail com>
Date: Sun, 06 Mar 2011 21:31:25 +0700
06.03.2011 19:26, Solar Designer пишет:
For this to happen, you need to post info on the specific issues and request CVEs for them. Will you do this, please? (Perhaps start a new thread, or even a thread per package - that's up to you.)
I mean we shouldn't sweep the logrotate issues under the carpet, even if logrotate wasn't suppose to handle such use cases initially. I have an impression that's what you suggest. I mean this:
The rest, as described, appear to rely on sysadmin error and to assume security properties that logrotate never advertised it had.
and
Indeed. A vulnerability in the service package, in my opinion. Now that would require CVE id assignment and a fix to the package, whereas logrotate could merely use some hardening with no CVE ids (except for issue #8, which was different).
So I think all the logrotate issues should get their CVEs with an advise to work around misuse cases by chowning the log directories root:root. The Gentoo issues, I think they don't need CVEs and will be fixed by the Gentoo security team (they are aware). The point was to show the misuse cases are common.
Current thread:
- Re: CVE Request -- logrotate -- nine issues, (continued)
- Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 10)
- Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 10)
- Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 10)
- Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 11)
- Re: CVE Request -- logrotate -- nine issues Ludwig Nussel (Mar 11)
- Re: CVE Request -- logrotate -- nine issues Ludwig Nussel (Mar 23)
- Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 05)
- Re: CVE Request -- logrotate -- nine issues Pavel Labushev (Mar 06)
- Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 06)
- Re: CVE Request -- logrotate -- nine issues Pavel Labushev (Mar 06)