oss-sec mailing list archives
Re: CVE Request -- logrotate -- nine issues
From: Josh Bressers <bressers () redhat com>
Date: Mon, 7 Mar 2011 15:30:58 -0500 (EST)
----- Original Message -----
On Mon, Mar 07, 2011 at 01:21:05PM +0100, Jan Kaluža wrote:I think logrotate should skip rotation of files in unsafe directories and show error message instead. Logrotate should also contain something like "--force" switch (this name is already used, so we have to find better one, but I don't have anything better in mind just now). With this switch logrotate should *not* skip unsafe directories and rotate them as it currently does, but show the error message. Basically it allows backward compatibility."--override-unsafe-directory-check" perhaps? Make it a long option, so that there is no doubt that the user is doing something that's potentially dangerous. (I am following this discussion with great interest.)
It seems there is now a consensus on this (at least that's how I'm reading it). Here is what I plan to do with CVE ids unless someone speaks up. As best as I can tell, logrotate only needs a CVE id for this: 8) Issue #8: logrotate: TOCTOU race condition by creation of new files (between opening the file and moment, final permissions have been applied) [information disclosure] It was found that logrotate utility used insecure default permissions, when creating of new files (time-of-check, time-of-use, TOCTOU race condition). In some specific configurations, a local attacker could use this flaw to open the new file before the final permissions have been applied, leading to disclosure of sensitive information. A different vulnerability than: [1] https://bugzilla.redhat.com/show_bug.cgi?id=680787 (Issue #1) References: [14] https://bugzilla.redhat.com/show_bug.cgi?id=680798 Source code background (issue reason): [15] https://bugzilla.redhat.com/show_bug.cgi?id=680798#c3 We then will need to assign IDs for various broken uses of /var/log (If someone has a list of the currently known ones, please pass it along) What does everyone think? Thanks. -- JB
Current thread:
- Re: CVE Request -- logrotate -- nine issues, (continued)
- Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 05)
- Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 06)
- Re: CVE Request -- logrotate -- nine issues Jan Lieskovsky (Mar 04)
- Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 04)
- Re: CVE Request -- logrotate -- nine issues Steven M. Christey (Mar 04)
- Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 04)
- Re: CVE Request -- logrotate -- nine issues Jan Lieskovsky (Mar 04)
- Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 05)
- Re: CVE Request -- logrotate -- nine issues Jan Kaluža (Mar 07)
- Re: CVE Request -- logrotate -- nine issues Paul Martin (Mar 07)
- Re: CVE Request -- logrotate -- nine issues Josh Bressers (Mar 07)
- Re: CVE Request -- logrotate -- nine issues Ludwig Nussel (Mar 07)
- Re: CVE Request -- logrotate -- nine issues Josh Bressers (Mar 10)
- Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 10)
- Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 10)
- Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 10)
- Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 11)
- Re: CVE Request -- logrotate -- nine issues Ludwig Nussel (Mar 11)
- Re: CVE Request -- logrotate -- nine issues Ludwig Nussel (Mar 23)
- Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 05)