On 14.10.2016 10:07, paul.sz...@sydney.edu.au wrote:
>> So while I think it should be fixed, this would not warrant a DSA,
>> since mitigated by default in Debian.
> No mitigation: fix and DSA, please!

I agree with Salvatore. I have tested the following:

First of all you can only gain write permissions as the tomcat8 user if
you exploit an yet unknown security vulnerability in a web application
or Tomcat itself. Debian's tomcat8 user has no shell access by default.

So the server must be running and somehow you managed to remove
/tmp/tomcat8-tomcat8-tmp and replaced the directory with a symlink to an
arbitrary file.

Your attack vector requires that the server must be restarted. But there
is another rm -rf "$JVM_TMP" command in the stop target that would
remove your symlink again.

Ok, let's imagine that you could find a way around the rm -rf commands.
Let's remove those rm -rf "$JVM_TMP" calls in /etc/init.d/tomcat8. Then
run systemctl daemon-reload. Log in as tomcat8 user and create your
symlink for /tmp/tomcat8-tomcat8-tmp. If I run systemctl restart tomcat8
now, I get this:

Job for tomcat8.service failed because the control process exited with
error code.

The symlink is still present and nothing has changed regarding the file
permissions for my arbitrary file.

I agree that we should improve the init script in this regard but I
actually don't see a major risk like a root escalation for users at the
moment and I suggest to lower the severity of this bug report to important.

> What response time should I have expected of team@security? You had
> close to a whole day... compared to that, Markus replied within the
> hour to the Debian bug. (But he did not yet reply to my next, private
> bug/message... seems public messaging works best!)

In my opinion it is generally understood that you should give people at
least enough time to react to an e-mail and to assess the issue.
Expecting a response time in less than a day is not very reasonable,
especially when there are things like the time difference between
Australia and Europe.



Attachment: signature.asc
Description: OpenPGP digital signature

This is the maintainer address of Debian's Java team
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to