Am 10.12.2010 03:10, schrieb Florian Zumbiehl:
Package: mumble-server
Version: 1.1.8-2
Severity: grave
Justification: privilege escalation vulnerability
Tags: security
There was a privilege escalation vulnerability in logrotate that I reported
about four years ago and which finally got fixed in testing rouhgly one
year ago (see bug #388608). In lenny this vulnerability still exists and
logrotate's maintainer doesn't seem to be interested in fixing it,
given that nothing of substance has happened since when I last notified him
of the problem about two weeks ago.
From your link it does not look very critical (no proof etc)
Also you could contact the release team, if you think, that the
maintainer does not do the necessary steps.
As a proof of concept, I did successfully use it to elevate my privileges
from the postgres user to root. As it affects packages where the log
directory is writable for the package's system user, I based this mass
filing on a rough analysis of maintainer scripts, avoiding the effort
of actually installing and testing each individual package.
These lines from this package's maintainer scripts suggest that it likely
is affected by the vulnerability:
---------------------------------------------------------------------------
chmod 0750 /var/log/mumble-server
chown mumble-server:adm /var/log/mumble-server
---------------------------------------------------------------------------
As minimal as needed..
Please note that the analysis this mass filing is based on also is
roughly a year old, and anyhow I don't recall which debian suite I based
it on at that time--as such, this report may be against the wrong version
and otherwise outdated in some details. Given how much effort I have
already needlessly put into this, I hope you have some understanding
for me not polishing this bug report.
Primarily I am filing this bug in order to allow the maintainers of
packages using logrotate to work around logrotate if they deem that
necessary.
From your thread on -qa I am reading, that we all (every maintainers
who is "affected" by this) should apply a patch to the stable and
squeeze release? And this patch would add, that log messages may get lost?
a) that is a no-go
b) logrotate has to be fixed then, not ~ 53 packages workarounded
So I intent to close the three RC bugs I get from you about it, but I
think it is a good idea to ask debian-release.
http://lists.debian.org/debian-qa/2010/11/msg00024.html
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
