Date: Fri, 20 Oct 2017 15:37:58 -0700 From: Seth Arnold <seth.arnold@...onical.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync On Thu, Oct 19, 2017 at 08:32:55PM +0000, Robert Watson wrote: > Scripts depend on the underlying functionality of the various utilities > like rsync that they call. I'm having trouble understanding how a script > could ever be deserving of a CVE. Maybe I'm wrong. I wish to be educated. I'm not sure what 'script' vs 'not-script' has to do with anything. 'Script' really just means "interpreted programming language" and says nothing about the threat model in use. This ftpsync script and similar scripts are the primary tool for mirroring Debian, Ubuntu, and other derived Linux distributions, to the mirror networks that support many millions of computers. Probably other programs use rsync without --safe-links when they should. I didn't know the option existed until this thread was started (seriously, rsync(1) is a HUGE manpage) so I'm grateful to the original reporter for sending it along. > We are overwhelmed with more vulnerabilities than can be fixed quickly > already. Yes. > Are "just to be safer" type things really a wise use of our resources? Yes. I think we all wish to see software that's less likely to fail. > Does a proliferation of a large number of low-caliber problems make > monitoring these lists more trouble than it's worth? Does it cause > high-impact problems to be lost amongst low-impact ones? It's up to you how you prioritize your time. For this issue, I updated my own personal mirroring script and a co-worker updated our wiki page: https://wiki.ubuntu.com/Mirrors/Scripts These steps took a few minutes and are unlikely to cause problems so it was an easy choice. Filing for a CVE for a wiki page feels like a waste of time so I'm not going to bother. The page is fixed and users can adopt the change if they wish. Thanks Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.