Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Mar 2011 17:17:48 +0300
From: Solar Designer <solar@...nwall.com>
To: Florian Zumbiehl <florz@...rz.de>
Cc: oss-security@...ts.openwall.com, Josh Bressers <bressers@...hat.com>,
	"Steven M. Christey" <coley@...us.mitre.org>,
	Stefan Fritsch <sf@...itsch.de>, Petr Uzel <petr.uzel@...e.cz>,
	Thomas Biege <thomas@...e.de>, Jan Kalu??a <jkaluza@...hat.com>
Subject: Re: CVE Request -- logrotate -- nine issues

On Thu, Mar 10, 2011 at 10:32:43PM +0100, Florian Zumbiehl wrote:
> > > | However, I think that still #6 (shell injection) and #7 (logrotate
> > > | DoS with strange characters in file names) should be considered
> > > | vulnerabilities in logrotate: ...
[...]
> I was thinking more in the direction of an existing config that includes
> a wildcard and software that uses user input to construct file names
> that would be matched by that wildcard. An example of such software
> would be samba, which tends to create per-client-host log files named
> after those hosts. I don't have a clue whether samba could be made to
> include any shell meta characters (does it even do reverse lookups for
> that?), but I guess you get the idea.

This makes sense, and I agree that it's a reason for logrotate to treat
log filenames as potentially untrusted input.  It's probably also a
reason to get CVE ids assigned.

Thank you for explaining the attack vector here!

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.