Hi, The short summary:
1. There is a privilege escalation vulnerability in stable's logrotate, verified to work for switching from the postgres user to root, probably affecting the system users of about 40 packages. A fix for this has been in testing for about a year now, the original bug report and a first patch have been in the bug tracker for about four years now. 2. The fix in testing introduces a regression that can cause loss of log messages where no such loss was possible before. A fix for this regression has been available to the maintainer and the security team for about a year now but has not been integrated so far. Got your attention? Good, let me elaborate a bit: First of all, it's bug #388608. Unfortunately, quite a bit of the interesting communication was private, either with the maintainer, or with the security team, or both, so I can't reference it in some public location, and just pasting my own text fragments into this mail probably would not be particularly enlightening either. As far as the vulnerability is concerned, I guess the available information at least is sufficient to get some clue as to what the problem is and how serious it is. Regarding the regression in the fix: With previous versions, it was guaranteed that unless you used the copytruncate option, you would not ever lose log messages due to rotation. With the fix, this guarantee does not exist anymore in cases where the program writing to the log file as well as logrotate may create the log file when it doesn't exist (which is a common setup, and which cannot even be avoided in many cases). Now, the problem is that I don't really recall all the details anymore either, and it would be some effort to get into it again. Given the little success my efforts have had so far, I am not willing to put in that work for potentially no gain. If you have any specific questions, feel free to ask, I'll do my best to give you the information I have, and if I see that this is actually going somewhere, maybe I'm even going devote some more cycles to this again. If I don't see any solution emerging in a reasonable time frame, my next step would be a more-or-less mass filing against all those packages that some rough analysis suggests are affected by either the vulnerability or the regression so that their maintainers can take measures to work around the problem if they want to. Florian -- To UNSUBSCRIBE, email to debian-qa-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101120072344.ga20...@florz.florz.dyndns.org
