On 14.10.2016 10:07, paul.sz...@sydney.edu.au wrote: [...] >> So while I think it should be fixed, this would not warrant a DSA, >> since mitigated by default in Debian. > > No mitigation: fix and DSA, please!
I agree with Salvatore. I have tested the following: First of all you can only gain write permissions as the tomcat8 user if you exploit an yet unknown security vulnerability in a web application or Tomcat itself. Debian's tomcat8 user has no shell access by default. So the server must be running and somehow you managed to remove /tmp/tomcat8-tomcat8-tmp and replaced the directory with a symlink to an arbitrary file. Your attack vector requires that the server must be restarted. But there is another rm -rf "$JVM_TMP" command in the stop target that would remove your symlink again. Ok, let's imagine that you could find a way around the rm -rf commands. Let's remove those rm -rf "$JVM_TMP" calls in /etc/init.d/tomcat8. Then run systemctl daemon-reload. Log in as tomcat8 user and create your symlink for /tmp/tomcat8-tomcat8-tmp. If I run systemctl restart tomcat8 now, I get this: Job for tomcat8.service failed because the control process exited with error code. The symlink is still present and nothing has changed regarding the file permissions for my arbitrary file. I agree that we should improve the init script in this regard but I actually don't see a major risk like a root escalation for users at the moment and I suggest to lower the severity of this bug report to important. > What response time should I have expected of team@security? You had > close to a whole day... compared to that, Markus replied within the > hour to the Debian bug. (But he did not yet reply to my next, private > bug/message... seems public messaging works best!) In my opinion it is generally understood that you should give people at least enough time to react to an e-mail and to assess the issue. Expecting a response time in less than a day is not very reasonable, especially when there are things like the time difference between Australia and Europe. Regards, Markus
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.