oss-sec mailing list archives
Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync
From: Seth Arnold <seth.arnold () canonical com>
Date: Fri, 20 Oct 2017 15:37:58 -0700
On Thu, Oct 19, 2017 at 08:32:55PM +0000, Robert Watson wrote:
Scripts depend on the underlying functionality of the various utilities like rsync that they call. I'm having trouble understanding how a script could ever be deserving of a CVE. Maybe I'm wrong. I wish to be educated.
I'm not sure what 'script' vs 'not-script' has to do with anything. 'Script' really just means "interpreted programming language" and says nothing about the threat model in use. This ftpsync script and similar scripts are the primary tool for mirroring Debian, Ubuntu, and other derived Linux distributions, to the mirror networks that support many millions of computers. Probably other programs use rsync without --safe-links when they should. I didn't know the option existed until this thread was started (seriously, rsync(1) is a HUGE manpage) so I'm grateful to the original reporter for sending it along.
We are overwhelmed with more vulnerabilities than can be fixed quickly already.
Yes.
Are "just to be safer" type things really a wise use of our resources?
Yes. I think we all wish to see software that's less likely to fail.
Does a proliferation of a large number of low-caliber problems make monitoring these lists more trouble than it's worth? Does it cause high-impact problems to be lost amongst low-impact ones?
It's up to you how you prioritize your time. For this issue, I updated my own personal mirroring script and a co-worker updated our wiki page: https://wiki.ubuntu.com/Mirrors/Scripts These steps took a few minutes and are unlikely to cause problems so it was an easy choice. Filing for a CVE for a wiki page feels like a waste of time so I'm not going to bother. The page is fixed and users can adopt the change if they wish. Thanks
Attachment:
signature.asc
Description:
Current thread:
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync, (continued)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 18)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Ben Tasker (Oct 18)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 19)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Seth Arnold (Oct 19)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 20)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Ben Tasker (Oct 20)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 21)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Solar Designer (Oct 21)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 21)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Simon McVittie (Oct 21)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Ben Tasker (Oct 18)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 18)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Seth Arnold (Oct 20)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Bastian Blank (Oct 21)