(copying the thread to debian-devel, where mass-bug-fills *has to* be discussed, not d-qa)
On Sat, Nov 20, 2010 at 08:23, Florian Zumbiehl <fl...@florz.de> wrote: > Hi, > > The short summary: > > 1. There is a privilege escalation vulnerability in stable's logrotate, > verified to work for switching from the postgres user to root, probably > affecting the system users of about 40 packages. A fix for this has > been in testing for about a year now, the original bug report and a > first patch have been in the bug tracker for about four years now. > > 2. The fix in testing introduces a regression that can cause loss of > log messages where no such loss was possible before. A fix for this > regression has been available to the maintainer and the security team > for about a year now but has not been integrated so far. > > Got your attention? Good, let me elaborate a bit: > > First of all, it's bug #388608. Unfortunately, quite a bit of the > interesting communication was private, either with the maintainer, or > with the security team, or both, so I can't reference it in some public > location, and just pasting my own text fragments into this mail probably > would not be particularly enlightening either. > > As far as the vulnerability is concerned, I guess the available > information at least is sufficient to get some clue as to what the > problem is and how serious it is. > > Regarding the regression in the fix: With previous versions, it was > guaranteed that unless you used the copytruncate option, you would not > ever lose log messages due to rotation. With the fix, this guarantee > does not exist anymore in cases where the program writing to the log > file as well as logrotate may create the log file when it doesn't exist > (which is a common setup, and which cannot even be avoided in many > cases). > > Now, the problem is that I don't really recall all the details anymore > either, and it would be some effort to get into it again. Given the > little success my efforts have had so far, I am not willing to put in > that work for potentially no gain. If you have any specific questions, > feel free to ask, I'll do my best to give you the information I have, > and if I see that this is actually going somewhere, maybe I'm even going > devote some more cycles to this again. > > If I don't see any solution emerging in a reasonable time frame, my next > step would be a more-or-less mass filing against all those packages that > some rough analysis suggests are affected by either the vulnerability > or the regression so that their maintainers can take measures to work > around the problem if they want to. So, instead of fixing logrotate in stable (did you contact release team to ask if a NMU is possible?), so just one package, you preferred to file 32 bugs[1] for all the affected packages? also with phrases like "I don't remember how I made the tests, or if the bugs are still there, but trust me there's a problem" it's kinda upsetting and/or unprofessional. [1] http://bugs.debian.org/cgi-bin/pkgreport.cgi?submitter=florz%40florz.de#_0_1_4 If you really care about this problem, which is nice, try to get logrotate fixed. Regards, -- Sandro Tosi (aka morph, morpheus, matrixhasu) My website: http://matrixhasu.altervista.org/ Me at Debian: http://wiki.debian.org/SandroTosi -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktikz7u+2bxzjwdns9fndeveg-=hfeems3l-zi...@mail.gmail.com
