Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 4 Jul 2014 07:10:48 +0000
From: Sven Kieske <S.Kieske@...twald.de>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: Varnish - no CVE == bug regression

Am 03.07.2014 22:17, schrieb Stefan Bühler:> And again "user controlled
input"... a root shell also uses "user
> controlled input".

A shell differs very much from varnish:
you can configure the shell user to be just able to e.g. run
certain commands, you almost never just use the plain "shell".
you use it in the context of the operating system, which allows
you to enforce additional security boundaries, and often does this by
default.
you can restrict certain shells to allow just specific commands.
and after all, a shell is build to execute code/commands, varnish
is there to serve cached web documents and to speed things up.

So I really think:

With different intended usecases come different security models
and different considerations what is a flaw or breach in this
model.

if you think the use case for varnish is to get crashed, well
I just have to wonder what's that use case for?

Even the varnish devs seem to agree this is unwanted behaviour
or why do they fix it?

This is merely about if(in general) and which(specific)
"unwanted behaviour" is considered a security vulnerability.

And today, the tendency is most times to not tolerate any
"unwanted behaviour" in any software.

Keep in mind this opens up more unexplored codepaths and can
boil down, to what is widely known as "weird machines".
(visit langsec.org for many interesting papers on input validation ;) )

Also Kurt did really sum it up very well, imho, so this will be my
last post to this thread.



-- 
Mit freundlichen Grüßen / Regards

Sven Kieske

Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.