oss-sec mailing list archives

Re: CVE Request -- logrotate -- nine issues

From: Josh Bressers <bressers () redhat com>
Date: Mon, 7 Mar 2011 15:25:37 -0500 (EST)

----- Original Message -----

On Friday, March 04, 2011 12:52:14 pm Solar Designer wrote:

On Fri, Mar 04, 2011 at 12:05:02PM -0500, Steven M. Christey wrote:

If there's a common usage scenario that doesn't stem from blatant
administrator negligence, then a CVE is probably still appropriate.
("blatant admin negligence" might be, say, if an admin arbitrarily
makes a script setuid, or modifies the perms for an executable or
config file to be world-writable.)


I think that "chmod 777 /var/log" is "blatant admin negligence". As to,
say, "chown nginx /var/log/nginx", it could be negligence or it could
be lack of familiarity with the risks involved. So I am willing to
admit that it's not necessarily negligence that turns those issues into
vulnerabilities on specific systems.

We will sometimes write the CVE description more as an "adminisrator
practice" than as "fault of the software."


Oh, this is something I did not realize. A lot of people assume that
CVEs "blame" the software and its authors for having made an error.

It felt wrong, say, to blame a text editor for being unsafe to use on
files in untrusted directories when such unsafety was the typical and
expected situation for text editors in general.


So, where does that leave us for things like this? :

http://reverse.lostrealm.com/protect/ldd.html
http://www.catonmat.net/blog/ldd-arbitrary-code-execution/


Steve,

Can you start a new thread for that issue. This one is already hard enough
to follow, and I think it deserves attention on its own.

Thanks.

-- 
    JB

Current thread:

CVE Request -- logrotate -- nine issues Jan Lieskovsky (Mar 04)
- Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 04)
  - Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Steven M. Christey (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Steven M. Christey (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Dan Rosenberg (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Steve Grubb (Mar 07)
    - Re: CVE Request -- logrotate -- nine issues Josh Bressers (Mar 07)
    - Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 05)
    - Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 06)
  - Re: CVE Request -- logrotate -- nine issues Jan Lieskovsky (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Steven M. Christey (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Jan Lieskovsky (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 05)
    - Re: CVE Request -- logrotate -- nine issues Jan Kaluža (Mar 07)

(Thread continues...)