(CC'ed debian-devel as this was a not-so-well coordinated MBF without announcement to debian-devel, dd-list, usertags; so maybe at least further discussion can happen there)
Hi Florian, [...] > > These lines from this package's maintainer scripts suggest that it likely > is affected by the vulnerability: > > --------------------------------------------------------------------------- > chmod 640 $FRESHCLAMLOGFILE > chown "$dbowner":adm $FRESHCLAMLOGFILE > --------------------------------------------------------------------------- > What is wrong about these two lines? And even from ... [...] > For some further details please see my announcement of this mass > filing on debian-qa: > > http://lists.debian.org/debian-qa/2010/11/msg00024.html > [...] ... I don't quite understand why this would be problem specific to one of the packages you did the MBF for. If I get the idea of your exploit right, you replace the log file by a symlink to a root-owned file, and in some mysterious way you then seem to be able to overwrite the root-owned file. Well, it will suffice for the evil person to be in adm group, you don't need to be $package user for doing that. But ok, you don't even claim there's a specific bug in our package, it's all logrotate's fault. Assuming clamav uses logrotate in a sane way (I wouldn't no of anyone claiming it does not), what should we do? Drop log rotation? Cool, thanks, then the security-tagged bug report against clamav is actually justified because it'll soon fill up your disk, possibly resulting in a DoS. Come up with it's own cron-job for log rotation? No, thank you. At present, the only thing I'd plan to do is to either reassign this bug to logrotate or simply close it. Best regards, Michael
pgpx3y5WyWN24.pgp
Description: PGP signature
