Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 Jan 2013 17:53:38 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: [Security hardening] [Notification] haproxy (previously)
 failed to drop supplementary groups after setuid / setgid calls properly

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/23/2013 09:25 AM, Jan Lieskovsky wrote:
> Hello vendors,
> 
> just FYI notification that haproxy upstream has recently corrected
> [2] improper dropping of supplementary groups [1] after setuid /
> setgid calls.
> 
> We have further investigated this issue and have reasons to believe
> that by itself this is NOT a security issue (another flaw would
> need to be found in haproxy this to be actually possible to use for
> something interesting).
> 
> For now we are considering this fix to be a preventive measure /
> security hardening (but took the time to notify you explicitly
> about this as you might still want to backport it into affected
> versions).
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> 
> P.S.: [1] https://bugzilla.redhat.com/show_bug.cgi?id=894626 [2]
> http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=ab012dd3
> 

So to be clear: haproxy fails to properly drop group privileges. Why
isn't this classified as a security vulnerability?

Well there is no way to exploit this that we're aware of, if you know
a way to exploit this please let us know.

What would make this a security vulnerability? Let's say for example
haproxy had an option to read or write to a file and did this with the
privileges it failed to drop (granting the attacker privilege
escalation) then it would be a security vulnerability.

So again, if you know of a way to exploit this please let us know,
otherwise we will continue to consider this a security hardening issue
and not a security vulnerability.

So as for this tweet:

"@chort0 http://seclists.org/oss-sec/2013/q1/174 … I didn't know about
that claim -- I guess it explains why such great effort was made to
not call it a vuln"

I wasn't aware of this claim by haproxy and to be honest I don't care.
I assigned something like 1,600 CVE's last year, trust me, I'm not
afraid to annoy people by assigning CVEs that might embarrass them.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRAdeSAAoJEBYNRVNeJnmTzUAQAJ8zJnXdcC65GcXgKw8niVag
g394V6cIYIxXQ299eJLENKXPM64sqL/WEt8JrdIOQwaU9xntxVp9Z7JT5wKmgbLa
HICqLd9pHKfrlZngbId/61uc3P+u6BtIq3fUZfBNMePfUm+Rk18DHNerqZSXZZ9t
epFz2E/T5RCN+SOzH1ov6WGqB02+aY2JuoWDICYdFX8iDiMA0ZJI4pPCMhX9maNE
dLwiP1RtmHP2WbBmFZKC9faGgIsOFAoMLdJ2d0qMzQV1QgUNNkUYsFQe+PoeJNjY
NGfDoFbezZurJvfbfRYmva0Ze/JVfUsTEwSm7OwnTpNvKNZv7N+G8aAvQap5taVH
8JreDNp0YC4ByuNzRzKtR2iuKxu2ILSYhr1xtzt8uQhERmZvMol/Z6jvBhAJgRZK
J9WP0xXE8476XDCvo7KQafTEBESApEBkcMXL3DDunyQPNbquzG5lk+RV71I1HsJZ
TJg+CLgOEllVD2+CXjF6yuvRlnZRLiBCa0H81YuvmzgKFX4uMYJxBTjI9TnklnNN
MNZQ9o2sQaHj36mNl3/kJftBtveRCDZSmVXhwls8eBp0ysN4mkdycRyTMOITSywu
OJIaKcFe7NtflqWU9sZFgchMsMO0WUlVTOK1Jm896/aJs+nNM9Z4/STceFGvsZmq
W40gi3vx3MUWF0Rbp1i7
=77BF
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.