oss-sec mailing list archives
Re: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 24 Jan 2013 17:53:38 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/23/2013 09:25 AM, Jan Lieskovsky wrote:
Hello vendors, just FYI notification that haproxy upstream has recently corrected [2] improper dropping of supplementary groups [1] after setuid / setgid calls. We have further investigated this issue and have reasons to believe that by itself this is NOT a security issue (another flaw would need to be found in haproxy this to be actually possible to use for something interesting). For now we are considering this fix to be a preventive measure / security hardening (but took the time to notify you explicitly about this as you might still want to backport it into affected versions). Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team P.S.: [1] https://bugzilla.redhat.com/show_bug.cgi?id=894626 [2] http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=ab012dd3
So to be clear: haproxy fails to properly drop group privileges. Why isn't this classified as a security vulnerability? Well there is no way to exploit this that we're aware of, if you know a way to exploit this please let us know. What would make this a security vulnerability? Let's say for example haproxy had an option to read or write to a file and did this with the privileges it failed to drop (granting the attacker privilege escalation) then it would be a security vulnerability. So again, if you know of a way to exploit this please let us know, otherwise we will continue to consider this a security hardening issue and not a security vulnerability. So as for this tweet: "@chort0 http://seclists.org/oss-sec/2013/q1/174 … I didn't know about that claim -- I guess it explains why such great effort was made to not call it a vuln" I wasn't aware of this claim by haproxy and to be honest I don't care. I assigned something like 1,600 CVE's last year, trust me, I'm not afraid to annoy people by assigning CVEs that might embarrass them. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRAdeSAAoJEBYNRVNeJnmTzUAQAJ8zJnXdcC65GcXgKw8niVag g394V6cIYIxXQ299eJLENKXPM64sqL/WEt8JrdIOQwaU9xntxVp9Z7JT5wKmgbLa HICqLd9pHKfrlZngbId/61uc3P+u6BtIq3fUZfBNMePfUm+Rk18DHNerqZSXZZ9t epFz2E/T5RCN+SOzH1ov6WGqB02+aY2JuoWDICYdFX8iDiMA0ZJI4pPCMhX9maNE dLwiP1RtmHP2WbBmFZKC9faGgIsOFAoMLdJ2d0qMzQV1QgUNNkUYsFQe+PoeJNjY NGfDoFbezZurJvfbfRYmva0Ze/JVfUsTEwSm7OwnTpNvKNZv7N+G8aAvQap5taVH 8JreDNp0YC4ByuNzRzKtR2iuKxu2ILSYhr1xtzt8uQhERmZvMol/Z6jvBhAJgRZK J9WP0xXE8476XDCvo7KQafTEBESApEBkcMXL3DDunyQPNbquzG5lk+RV71I1HsJZ TJg+CLgOEllVD2+CXjF6yuvRlnZRLiBCa0H81YuvmzgKFX4uMYJxBTjI9TnklnNN MNZQ9o2sQaHj36mNl3/kJftBtveRCDZSmVXhwls8eBp0ysN4mkdycRyTMOITSywu OJIaKcFe7NtflqWU9sZFgchMsMO0WUlVTOK1Jm896/aJs+nNM9Z4/STceFGvsZmq W40gi3vx3MUWF0Rbp1i7 =77BF -----END PGP SIGNATURE-----
Current thread:
- [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly Jan Lieskovsky (Jan 23)
- Re: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly Kurt Seifried (Jan 24)