Package: pyicqt Version: 0.8.1.3-2 Severity: grave Justification: privilege escalation vulnerability Tags: security
There was a privilege escalation vulnerability in logrotate that I reported about four years ago and which finally got fixed in testing rouhgly one year ago (see bug #388608). In lenny this vulnerability still exists and logrotate's maintainer doesn't seem to be interested in fixing it, given that nothing of substance has happened since when I last notified him of the problem about two weeks ago. As a proof of concept, I did successfully use it to elevate my privileges from the postgres user to root. As it affects packages where the log directory is writable for the package's system user, I based this mass filing on a rough analysis of maintainer scripts, avoiding the effort of actually installing and testing each individual package. These lines from this package's maintainer scripts suggest that it likely is affected by the vulnerability: --------------------------------------------------------------------------- chown -R pyicqt:adm /var/log/pyicqt --------------------------------------------------------------------------- Please note that the analysis this mass filing is based on also is roughly a year old, and anyhow I don't recall which debian suite I based it on at that time--as such, this report may be against the wrong version and otherwise outdated in some details. Given how much effort I have already needlessly put into this, I hope you have some understanding for me not polishing this bug report. Primarily I am filing this bug in order to allow the maintainers of packages using logrotate to work around logrotate if they deem that necessary. Also, you should note that the security fix in testing introduces a regression that may also affect this package which could cause data loss in situations where this couldn't happen before. A fix for this regression is available to logrotate's maintainer, also still unapplied for over a year. A mass filing against packages affected by that regression may follow later. For some further details please see my announcement of this mass filing on debian-qa: http://lists.debian.org/debian-qa/2010/11/msg00024.html I would also suggest to use that thread for any further discussion that is not specific to this package and possibly for coordination between maintainers of affected packages in order to avoid duplicated efforts where possible. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
