oss-sec mailing list archives

Re: CVE Request -- logrotate -- nine issues

From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Tue, 8 Mar 2011 08:59:03 +0100

Josh Bressers wrote:

[...]
It seems there is now a consensus on this (at least that's how I'm reading
it). Here is what I plan to do with CVE ids unless someone speaks up.

As best as I can tell, logrotate only needs a CVE id for this:

    8) Issue #8: logrotate: TOCTOU race condition by creation of new files
       (between opening the file and moment, final permissions have been
       applied) [information disclosure]


Ack.

We then will need to assign IDs for various broken uses of /var/log (If
someone has a list of the currently known ones, please pass it along)


AFAICS on openSUSE Factory we have
cobbler
inn
safte-monitor
uucp

service owned log dirs without logrotate:
cups
horde

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Current thread:

Re: CVE Request -- logrotate -- nine issues, (continued)
- - - Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 06)
  - Re: CVE Request -- logrotate -- nine issues Jan Lieskovsky (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Steven M. Christey (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Jan Lieskovsky (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 05)
    - Re: CVE Request -- logrotate -- nine issues Jan Kaluža (Mar 07)
    - Re: CVE Request -- logrotate -- nine issues Paul Martin (Mar 07)
    - Re: CVE Request -- logrotate -- nine issues Josh Bressers (Mar 07)
    - Re: CVE Request -- logrotate -- nine issues Ludwig Nussel (Mar 07)
    - Re: CVE Request -- logrotate -- nine issues Josh Bressers (Mar 10)
    - Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 10)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 10)
    - Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 10)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 11)
    - Re: CVE Request -- logrotate -- nine issues Ludwig Nussel (Mar 11)
    - Re: CVE Request -- logrotate -- nine issues Ludwig Nussel (Mar 23)
  - Re: CVE Request -- logrotate -- nine issues Pavel Labushev (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 05)
    - Re: CVE Request -- logrotate -- nine issues Pavel Labushev (Mar 06)

(Thread continues...)