Re: CVE Request -- logrotate -- nine issues

[Ludwig Nussel <ludwig.nussel () suse de>]

Florian Zumbiehl wrote:
> > On Thu, Mar 10, 2011 at 07:08:38PM +0100, Florian Zumbiehl wrote:
> > > What about these?:
> > >
> > > | However, I think that still #6 (shell injection) and #7 (logrotate
> > > | DoS with strange characters in file names) should be considered
> > > | vulnerabilities in logrotate: It would be reasonable to assume that you
> > > | can use user input that's a valid (slash-less) filename as a (part of a)
> > > | log file name (assuming that the program is running as the same user that
> > > | inspects and rotates the logs, so the log directory being writable by
> > > | the program would not be insecure per-se) without that file name being
> > > | interpreted by a shell or causing logrotate to stop functioning,
> > > | respectively.
> [...]
> > To summarize, it feels like in theory a privilege boundary could exist
> > here and be crossed on certain systems with extra software, but in
> > practice this is unlikely and it would indicate poor design of another
> > piece of software or/and false sense of security put into that privilege
> > boundary.  I don't know what this means for CVE id assignment per the
> > current "rules".
>
> I was thinking more in the direction of an existing config that includes
> a wildcard and software that uses user input to construct file names
> that would be matched by that wildcard. An example of such software
> would be samba, which tends to create per-client-host log files named
> after those hosts. I don't have a clue whether samba could be made to
> include any shell meta characters (does it even do reverse lookups for
> that?), but I guess you get the idea.

libvirt constructs log file names from user input (log file name =
VM name). The user needs to have the org.libvirt.unix.manage
privilege which bascially already is full root though.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)