Control: severity -1 normal
Control: found -1 8.0.14-1
Hi Paul,
On Sat, Oct 15, 2016 at 07:25:59AM +1100, paul.sz...@sydney.edu.au wrote:
> Dear Salvatore,
>
> > You are operating here outside of /tmp (sticky world-writable
> > directory) which the above issue for the init scripts relies on,
>
Dear Salvatore,
> You are operating here outside of /tmp (sticky world-writable
> directory) which the above issue for the init scripts relies on,
> right? fs.protected_(hardlinks|symlinks) is exactly a hardening for
> those issues:
> https://www.kernel.org/doc/Documentation/sysctl/fs.txt
I see:
Dear Markus,
Sorry to reply again.
> ... But there is another rm -rf "$JVM_TMP" command in the stop target
> that would remove your symlink again.
I now see what you mean. There is an rm when you "stop" tomcat, and
another in the "start"; so maybe there are two in restart. No matter:
I watch (wi
Hi Paul,
Markus followed already up, I just want to give some additional
comments on the below:
On Fri, Oct 14, 2016 at 07:07:52PM +1100, paul.sz...@sydney.edu.au wrote:
> Dear Salvatore,
>
> > ... if the attacher created a symlink between the rm and the mkdir
> > then mkdir will still fail with
Dear Markus,
> First of all you can only gain write permissions as the tomcat8 user if
> you exploit an yet unknown security vulnerability in a web application
> or Tomcat itself. Debian's tomcat8 user has no shell access by default.
Yes, this is a privilege escalation issue: exactly as in DSA-36
On 14.10.2016 10:07, paul.sz...@sydney.edu.au wrote:
[...]
>> So while I think it should be fixed, this would not warrant a DSA,
>> since mitigated by default in Debian.
>
> No mitigation: fix and DSA, please!
I agree with Salvatore. I have tested the following:
First of all you can only gain wr
Dear Salvatore,
> ... if the attacher created a symlink between the rm and the mkdir
> then mkdir will still fail with -p on a symlink. (Or do I miss
> something?). ...
Yes, you missed a simple test:
$ mkdir mydir
$ ln -s mydir mylink
$ ls -ld my*
drwx-- 2 psz amstaff 4096 Oct 14 18:46 mydi
Hi Paul, hi Markus,
On Fri, Oct 14, 2016 at 08:42:11AM +1100, paul.sz...@sydney.edu.au wrote:
> Dear Markus,
>
> >> [ I contacted t...@security.debian.org about this, but no response ... ]
> > ... Please send them to the security team
> > first and not to a public mailing list.
>
> I did. They did
Dear Markus,
>> [ I contacted t...@security.debian.org about this, but no response ... ]
> ... Please send them to the security team
> first and not to a public mailing list.
I did. They did not reply within what seemed a reasonable timeframe.
>> Recently DSA-3670 was released, and /etc/init.d/t
On 13.10.2016 22:22, Paul Szabo wrote:
> Package: tomcat8
> Version: 8.0.14-1+deb8u3
> Severity: critical
> Tags: security
> Justification: root security hole
>
>
> [ I contacted t...@security.debian.org about this, but no response ... ]
I am CCing the security team in case they want to chime in
Package: tomcat8
Version: 8.0.14-1+deb8u3
Severity: critical
Tags: security
Justification: root security hole
[ I contacted t...@security.debian.org about this, but no response ... ]
Recently DSA-3670 was released, and /etc/init.d/tomcat8 modified so:
...
NAME=tomcat8
...
JVM_TMP=/tmp/tomcat8-$
11 matches
Mail list logo