On Tue, Dec 03, 2013 at 07:42:39PM +0100, Josselin Mouette wrote: > -------- Message transféré -------- > De: Jef Spaleta <jspaleta@gmail.com> > À: Josselin Mouette <joss@debian.org> > Sujet: Re: FYI: for the systemd security debate. > Date: Mon, 2 Dec 2013 23:39:59 -0900 > > Evening, > > So looking deeper into the upstart bug tracker..... I just don't think > people have bothered filing CVE requests against upstart at > all..ever...for anything..even though there have clearly been some > SERIOUS system security impacting bugs that have reached users in > Ubuntu releases. > here's an example of a file descriptor leak in upstart, with > exploit code which could cause a service level DoS be chewing up > all available file descriptors. Canonical did an internal > review...didn't request a cve or external impact accessment..and > decided it was a normal bug fix. > https://bugs.launchpad.net/upstart/+bug/83099 > The severity of this is basically the same level of the journald > related CVE-2013-4393 It does appear to me that this bug should have been treated as a security bug, but for some reason the developers who did the analysis at the time felt that "the potential impact on [the affected Ubuntu release] is negligible". I don't know why, but all other things being equal, I would assume that they're right that it wasn't exploitable in the release in question and therefore didn't warrant a CVE. This bug is also six years old. I don't think it makes sense to judge any project by how bugs were being handled 6 years ago. > here is an example of a simple programming mistake that lead to a > user space upstart job causing the pid 1 process to fall over and > die. Fixed in an update... no CVE requested. > https://bugs.launchpad.net/upstart/+bug/807293 > This is pretty severe. unprivledge user job taking down pid 1 > entirely. It is a severe error, but it was only exploitable in a configuration that no one ever shipped. RHEL6 shipped with upstart 0.6.5, which predated the changes upstream to allow user sessions (first introduced in release 0.9.0). SuSE shipped upstart 0.3.9. Ubuntu shipped 0.9.7, which did have the bug, but with a dbus configuration that prohibited non-root access to the problematic calls. As there were no known downstreams affected by this issue in practice, we did not consider this to warrant a CVE. > Here's an example of a FULL ROOT ACCESS exploit from console. > Fixed release in Ubuntu with an update... no CVE. > https://bugs.launchpad.net/upstart/+bug/63852 This bug only affected a pre-release version of Ubuntu... seven years ago. The bug is marked as being present only in the Ubuntu-specific packaging. We are generally not in the habit of requesting CVEs for prerelease-only issues. > I do not share his accusations of bad faith; after all, Ubuntu being > both upstream and downstream for this piece of software, it is > understandable that some developers focus on fixing bugs quickly rather > than asking for CVE numbers. However, I find this habit of not > registering CVEs worrying for two reasons. > 1. It is the sign of insufficient security awareness from some > developers. Even if Debian were to adopt upstart and make these > habits change, it is plausible that some developers would not > take appropriate measures, should new bugs be found. > 2. If we are to consider past security issues (which again, is > normal in any software package, even well designed) as a metric > for the current security status of available init systems, I am > afraid we are lacking data on upstart. A careful analysis of the presented bugs does not support this conclusion. If a security-relevant bug had turned up in upstart that affected a release that was being used downstream, we would certainly take that seriously and follow all the relevant procedures (CVE request, cross-vendor notification, etc.) In practice, TTBOMK this has never been the case. Certainly, any bug that had warranted a security update in an Ubuntu stable release would have received a CVE assignment. There haven't been any of those. > I don’t know whether Jef’s list is complete. It would be nice if someone > had the time to dig into old upstart bugs to see which ones would have > mandated a security label. I think that would be a great waste of the tech committee's time and attention. When you start digging for security issues in prerelease code that doesn't /warrant/ a CVE, this is no longer an apples-to-apples comparison. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature