Bug#727708: upstart (security) bugs
Hi,
a friend of mine mentioned (not in a pub, but in a serious discussion
about systemd & upstart) that he looked into upstart bugs more closely,
and found an alarming trend of security bugs that were not flagged as
such.
I do not share his accusations of bad faith; after all, Ubuntu being
both upstream and downstream for this piece of software, it is
understandable that some developers focus on fixing bugs quickly rather
than asking for CVE numbers. However, I find this habit of not
registering CVEs worrying for two reasons.
1. It is the sign of insufficient security awareness from some
developers. Even if Debian were to adopt upstart and make these
habits change, it is plausible that some developers would not
take appropriate measures, should new bugs be found.
2. If we are to consider past security issues (which again, is
normal in any software package, even well designed) as a metric
for the current security status of available init systems, I am
afraid we are lacking data on upstart.
I don’t know whether Jef’s list is complete. It would be nice if someone
had the time to dig into old upstart bugs to see which ones would have
mandated a security label.
-------- Message transféré --------
De: Jef Spaleta <jspaleta@gmail.com>
À: Josselin Mouette <joss@debian.org>
Sujet: Re: FYI: for the systemd security debate.
Date: Mon, 2 Dec 2013 23:39:59 -0900
Evening,
So looking deeper into the upstart bug tracker..... I just don't think
people have bothered filing CVE requests against upstart at
all..ever...for anything..even though there have clearly been some
SERIOUS system security impacting bugs that have reached users in
Ubuntu releases.
here's an example of a file descriptor leak in upstart, with exploit
code which could cause a service level DoS be chewing up all available
file descriptors. Canonical did an internal review...didn't request a
cve or external impact accessment..and decided it was a normal bug
fix.
https://bugs.launchpad.net/upstart/+bug/83099
The severity of this is basically the same level of the journald
related CVE-2013-4393
here is an example of a simple programming mistake that lead to a user
space upstart job causing the pid 1 process to fall over and die.
Fixed in an update... no CVE requested.
https://bugs.launchpad.net/upstart/+bug/807293
This is pretty severe. unprivledge user job taking down pid 1 entirely.
Here's an example of a FULL ROOT ACCESS exploit from console. Fixed
release in Ubuntu with an update... no CVE.
https://bugs.launchpad.net/upstart/+bug/63852
So here's the big problem with looking at CVEs. Single distribution
solutions... like upstart...are much much less likely to use the CVE
system at all to register security issues.
You deep dive into upstart's bug tracker on launchpad, and your going
to keep finding more and more examples of classic security impact
bugs..just noone is actually labelling them as security impacters. The
worrisome thing here is that Canonical and the Ubuntu release
management have NOT felt the need to classify the problems as security
impactors. If had a dog in the debian fight, I'd be very very tempted
to call the lack of CVEs on these past security issues bad faith...as
if Canonical was trying to purposely avoid calling attention to the
severity of these problems. But I do love bug 63852...its a very
elegant backdoor on the console.
-jef
--
.''`. Josselin Mouette
: :' :
`. `'
`-
Reply to: