Re: privilege escalation and potential data loss in logrotate

[Sandro Tosi <morph@debian.org>]

(copying the thread to debian-devel, where mass-bug-fills *has to* be
discussed, not d-qa)

On Sat, Nov 20, 2010 at 08:23, Florian Zumbiehl <florz@florz.de> wrote:
> Hi,
>
> The short summary:
>
> 1. There is a privilege escalation vulnerability in stable's logrotate,
>   verified to work for switching from the postgres user to root, probably
>   affecting the system users of about 40 packages. A fix for this has
>   been in testing for about a year now, the original bug report and a
>   first patch have been in the bug tracker for about four years now.
>
> 2. The fix in testing introduces a regression that can cause loss of
>   log messages where no such loss was possible before. A fix for this
>   regression has been available to the maintainer and the security team
>   for about a year now but has not been integrated so far.
>
> Got your attention? Good, let me elaborate a bit:
>
> First of all, it's bug #388608. Unfortunately, quite a bit of the
> interesting communication was private, either with the maintainer, or
> with the security team, or both, so I can't reference it in some public
> location, and just pasting my own text fragments into this mail probably
> would not be particularly enlightening either.
>
> As far as the vulnerability is concerned, I guess the available
> information at least is sufficient to get some clue as to what the
> problem is and how serious it is.
>
> Regarding the regression in the fix: With previous versions, it was
> guaranteed that unless you used the copytruncate option, you would not
> ever lose log messages due to rotation. With the fix, this guarantee
> does not exist anymore in cases where the program writing to the log
> file as well as logrotate may create the log file when it doesn't exist
> (which is a common setup, and which cannot even be avoided in many
> cases).
>
> Now, the problem is that I don't really recall all the details anymore
> either, and it would be some effort to get into it again. Given the
> little success my efforts have had so far, I am not willing to put in
> that work for potentially no gain. If you have any specific questions,
> feel free to ask, I'll do my best to give you the information I have,
> and if I see that this is actually going somewhere, maybe I'm even going
> devote some more cycles to this again.
>
> If I don't see any solution emerging in a reasonable time frame, my next
> step would be a more-or-less mass filing against all those packages that
> some rough analysis suggests are affected by either the vulnerability
> or the regression so that their maintainers can take measures to work
> around the problem if they want to.

So, instead of fixing logrotate in stable (did you contact release
team to ask if a NMU is possible?), so just one package, you preferred
to file 32 bugs[1] for all the affected packages? also with phrases
like "I don't remember how I made the tests, or if the bugs are still
there, but trust me there's a problem" it's kinda upsetting and/or
unprofessional.

[1] http://bugs.debian.org/cgi-bin/pkgreport.cgi?submitter=florz%40florz.de#_0_1_4

If you really care about this problem, which is nice, try to get
logrotate fixed.

Regards,
-- 
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi