oss-sec mailing list archives

Re: CVE Request -- logrotate -- nine issues

From: Josh Bressers <bressers () redhat com>
Date: Mon, 7 Mar 2011 15:30:58 -0500 (EST)

----- Original Message -----

On Mon, Mar 07, 2011 at 01:21:05PM +0100, Jan Kaluža wrote:

I think logrotate should skip rotation of files in unsafe
directories and show error message instead. Logrotate should also
contain something like "--force" switch (this name is already used,
so we have to find better one, but I don't have anything better in
mind just now). With this switch logrotate should *not* skip unsafe
directories and rotate them as it currently does, but show the error
message. Basically it allows backward compatibility.


"--override-unsafe-directory-check" perhaps? Make it a long option,
so that there is no doubt that the user is doing something that's
potentially dangerous.

(I am following this discussion with great interest.)


It seems there is now a consensus on this (at least that's how I'm reading
it). Here is what I plan to do with CVE ids unless someone speaks up.

As best as I can tell, logrotate only needs a CVE id for this:

    8) Issue #8: logrotate: TOCTOU race condition by creation of new files
       (between opening the file and moment, final permissions have been
       applied) [information disclosure]

        It was found that logrotate utility used insecure default
        permissions, when creating of new files (time-of-check,
        time-of-use, TOCTOU race condition).  In some specific
        configurations, a local attacker could use this flaw to open the
        new file before the final permissions have been applied, leading to
        disclosure of sensitive information. A different vulnerability
        than:
        [1] https://bugzilla.redhat.com/show_bug.cgi?id=680787 (Issue #1)

        References:
        [14] https://bugzilla.redhat.com/show_bug.cgi?id=680798

        Source code background (issue reason):
        [15] https://bugzilla.redhat.com/show_bug.cgi?id=680798#c3

We then will need to assign IDs for various broken uses of /var/log (If
someone has a list of the currently known ones, please pass it along)

What does everyone think?

Thanks.

-- 
    JB

Current thread:

Re: CVE Request -- logrotate -- nine issues, (continued)
- - - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 05)
    - Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 06)
  - Re: CVE Request -- logrotate -- nine issues Jan Lieskovsky (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Steven M. Christey (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Jan Lieskovsky (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 05)
    - Re: CVE Request -- logrotate -- nine issues Jan Kaluža (Mar 07)
    - Re: CVE Request -- logrotate -- nine issues Paul Martin (Mar 07)
    - Re: CVE Request -- logrotate -- nine issues Josh Bressers (Mar 07)
    - Re: CVE Request -- logrotate -- nine issues Ludwig Nussel (Mar 07)
    - Re: CVE Request -- logrotate -- nine issues Josh Bressers (Mar 10)
    - Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 10)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 10)
    - Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 10)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 11)
    - Re: CVE Request -- logrotate -- nine issues Ludwig Nussel (Mar 11)
    - Re: CVE Request -- logrotate -- nine issues Ludwig Nussel (Mar 23)
  - Re: CVE Request -- logrotate -- nine issues Pavel Labushev (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 05)

(Thread continues...)