Bug#357561: privilege escalation hole

[Russ Allbery <rra@debian.org>]

Daniel Leidert <daniel.leidert@wgdd.de> writes:

> Package: apache
> Followup-For: Bug #357561

> Why isn't anybody of the official maintainers reacting or commenting on
> this bug? There are 3(!) completely undocumented downgrades of a bug,
> that IMHO (from reading) fits the "grave" severity.

The downgrades aren't undocumented.  Look at the full downgrade messages.
The first time it was downgraded, the comment was:

    unexplained severity inflation

Then an explanation was added, and the second time the bug was downgraded,
the comment was:

    holes depending on terminal exploits have not been treated as RC

which I believe is still correct.

Controlling terminal exploits are possible but hard, and in this
particular case, requires a fairly specific alignment of issues: Apache
must be started with -F, which is an unusual way of running Apache to
start with, and the root shell has to be left open long enough for someone
to discover this state and run an exploit.  Usually people who routinely
run Apache with -F are doing so via something like runit or supervise,
which already won't have a controlling terminal, and running Apache -F by
hand is normally only done for debugging.

I certainly agree that it would be good to fix the bug, but I also can see
why the severity was downgraded.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>