Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 4 Jul 2014 07:10:48 +0000
From: Sven Kieske <S.Kieske@...twald.de>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: Varnish - no CVE == bug regression

Am 03.07.2014 22:17, schrieb Stefan Bühler:> And again "user controlled
input"... a root shell also uses "user
> controlled input".

A shell differs very much from varnish:
you can configure the shell user to be just able to e.g. run
certain commands, you almost never just use the plain "shell".
you use it in the context of the operating system, which allows
you to enforce additional security boundaries, and often does this by
default.
you can restrict certain shells to allow just specific commands.
and after all, a shell is build to execute code/commands, varnish
is there to serve cached web documents and to speed things up.

So I really think:

With different intended usecases come different security models
and different considerations what is a flaw or breach in this
model.

if you think the use case for varnish is to get crashed, well
I just have to wonder what's that use case for?

Even the varnish devs seem to agree this is unwanted behaviour
or why do they fix it?

This is merely about if(in general) and which(specific)
"unwanted behaviour" is considered a security vulnerability.

And today, the tendency is most times to not tolerate any
"unwanted behaviour" in any software.

Keep in mind this opens up more unexplored codepaths and can
boil down, to what is widely known as "weird machines".
(visit langsec.org for many interesting papers on input validation ;) )

Also Kurt did really sum it up very well, imho, so this will be my
last post to this thread.



-- 
Mit freundlichen Grüßen / Regards

Sven Kieske

Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ