Date: Thu, 24 Jan 2013 17:53:38 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/23/2013 09:25 AM, Jan Lieskovsky wrote: > Hello vendors, > > just FYI notification that haproxy upstream has recently corrected >  improper dropping of supplementary groups  after setuid / > setgid calls. > > We have further investigated this issue and have reasons to believe > that by itself this is NOT a security issue (another flaw would > need to be found in haproxy this to be actually possible to use for > something interesting). > > For now we are considering this fix to be a preventive measure / > security hardening (but took the time to notify you explicitly > about this as you might still want to backport it into affected > versions). > > Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat > Security Response Team > > P.S.:  https://bugzilla.redhat.com/show_bug.cgi?id=894626  > http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=ab012dd3 > So to be clear: haproxy fails to properly drop group privileges. Why isn't this classified as a security vulnerability? Well there is no way to exploit this that we're aware of, if you know a way to exploit this please let us know. What would make this a security vulnerability? Let's say for example haproxy had an option to read or write to a file and did this with the privileges it failed to drop (granting the attacker privilege escalation) then it would be a security vulnerability. So again, if you know of a way to exploit this please let us know, otherwise we will continue to consider this a security hardening issue and not a security vulnerability. So as for this tweet: "@chort0 http://seclists.org/oss-sec/2013/q1/174 … I didn't know about that claim -- I guess it explains why such great effort was made to not call it a vuln" I wasn't aware of this claim by haproxy and to be honest I don't care. I assigned something like 1,600 CVE's last year, trust me, I'm not afraid to annoy people by assigning CVEs that might embarrass them. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRAdeSAAoJEBYNRVNeJnmTzUAQAJ8zJnXdcC65GcXgKw8niVag g394V6cIYIxXQ299eJLENKXPM64sqL/WEt8JrdIOQwaU9xntxVp9Z7JT5wKmgbLa HICqLd9pHKfrlZngbId/61uc3P+u6BtIq3fUZfBNMePfUm+Rk18DHNerqZSXZZ9t epFz2E/T5RCN+SOzH1ov6WGqB02+aY2JuoWDICYdFX8iDiMA0ZJI4pPCMhX9maNE dLwiP1RtmHP2WbBmFZKC9faGgIsOFAoMLdJ2d0qMzQV1QgUNNkUYsFQe+PoeJNjY NGfDoFbezZurJvfbfRYmva0Ze/JVfUsTEwSm7OwnTpNvKNZv7N+G8aAvQap5taVH 8JreDNp0YC4ByuNzRzKtR2iuKxu2ILSYhr1xtzt8uQhERmZvMol/Z6jvBhAJgRZK J9WP0xXE8476XDCvo7KQafTEBESApEBkcMXL3DDunyQPNbquzG5lk+RV71I1HsJZ TJg+CLgOEllVD2+CXjF6yuvRlnZRLiBCa0H81YuvmzgKFX4uMYJxBTjI9TnklnNN MNZQ9o2sQaHj36mNl3/kJftBtveRCDZSmVXhwls8eBp0ysN4mkdycRyTMOITSywu OJIaKcFe7NtflqWU9sZFgchMsMO0WUlVTOK1Jm896/aJs+nNM9Z4/STceFGvsZmq W40gi3vx3MUWF0Rbp1i7 =77BF -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.