Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 5 Jul 2017 22:03:45 +0200
From: Pali Rohár <pali.rohar@...il.com>
To: oss-security@...ts.openwall.com
Cc: Ben Tasker <ben@...tasker.co.uk>
Subject: Re: systemd fails to parse user that should run
 service

On Wed, Jul 5, 2017 at 12:28, Ben Tasker wrote:
> Honestly, I think upstream have done an *awful *job of handling it so far
> (and it's far from the only example of Poettering taking the not-a-bug
> approach questionably). Their issues do have a habit of attracting trolls,
> but I think sometimes their definition of troll expands to include anyone
> who doesn't agree with them.

The worst is that fact that discussion about this problem was locked in
upstream bugtracker. Therefore there is no other option as continue
discussion about this, which I think security issue, here at
oss-security list. But problem is that upstream do not have to monitor
this list and therefore they would ignore any results.

> FWIW, I'd be inclined to agree that it needs a CVE so that downstream
> distro's can at least refer to it, and decide how (and if) they want to
> address it. Even if they decide to stick with upstream's approach, having
> the CVE at least gives them something to make sure package reviewers refer
> to.

>From the whole discussion (and not only there) it looks like that
assigning CVE should be really done as more downstream distributions
do not follow systemd's "allowed" characters in username and needs to
handle this problem somehow. Either patching systemd or change
validation for adding new user names into system...

Is somebody going to ask Mitre for CVE? Or should it be done by Red Hat?
Because upstream bug is locked, it is not possible to ask in upstream...

> I think the approach SUSE has taken is pretty good, and it's basically the
> kind of fix I'd have liked to see upstream put in place (though in their
> case, the suggestion of a config var to define whether it's acceptable is
> also a very good suggestion).

-- 
Pali Rohár
pali.rohar@...il.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.