oss-sec mailing list archives
Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync
From: Robert Watson <robertcwatson1 () gmail com>
Date: Thu, 19 Oct 2017 20:32:55 +0000
Scripts depend on the underlying functionality of the various utilities like rsync that they call. I'm having trouble understanding how a script could ever be deserving of a CVE. Maybe I'm wrong. I wish to be educated. We are overwhelmed with more vulnerabilities than can be fixed quickly already. Are "just to be safer" type things really a wise use of our resources? Does a proliferation of a large number of low-caliber problems make monitoring these lists more trouble than it's worth? Does it cause high-impact problems to be lost amongst low-impact ones? On Thu, Oct 19, 2017, 15:46 Seth Arnold <seth.arnold () canonical com> wrote:
On Wed, Oct 18, 2017 at 04:55:07PM -0400, Robert Watson wrote:Removing the ability for rsync to copy symlinks pointing to targetsoutsidethe mirror tree would greatly cripple it. I need to understand how the danger is worth the loss of this functionality.Note that the fix isn't modifying rsync, the fix is modifying the ftpsync script that calls rsync: + RSYNC_OPTIONS=${RSYNC_OPTIONS:-"-prltvHSB8192 --safe-links --timeout 3600 --stats --no-human-readable"} https://anonscm.debian.org/cgit/mirror/archvsync.git/commit/?id=d1ca2ab2210990b6dfb664cd6776a41b71c48016 Of course for people who run this mirroring tool as a specific user account and set file permissions appropriately this is more or less a no-op. But this is a useful hardening for people who run the ftpsync command as a user with too many privileges. (I wouldn't have bothered filing for a CVE for this change; I see it as a simple hardening change.) This option shouldn't cripple ftpsync as a well-run repository is highly unlikely to have symlinks pointing out of the tree. A repository with symlinks pointing out of the tree is already not a suitable rsync source. Thanks
-- Robert "DocSalvager" Watson ... trust in truth keeps hope alive www.DocSalvage.info
Current thread:
- CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Bastian Blank (Oct 17)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 18)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Ben Tasker (Oct 18)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 19)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Seth Arnold (Oct 19)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 20)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Ben Tasker (Oct 20)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 21)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Solar Designer (Oct 21)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 21)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Simon McVittie (Oct 21)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Ben Tasker (Oct 18)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 18)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Seth Arnold (Oct 20)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Bastian Blank (Oct 21)