Re: privilege escalation and potential data loss in logrotate

2010-12-11 Thread Holger Levsen
Hi, On Samstag, 11. Dezember 2010, Florian Zumbiehl wrote: > I was up to, plus anyone on d-qa who read my mail there also could have > pointed me in the right direction, so I won't take the blame for that. I've read your mail to debian-qa some weeks ago and I've read the bug report. Which stated

Re: privilege escalation and potential data loss in logrotate

2010-12-10 Thread Florian Zumbiehl
Hi, > (copying the thread to debian-devel, where mass-bug-fills *has to* be > discussed, not d-qa) As such I would suggest completely moving this thread over to d-devel and dropping d-qa from subsequent mails. [...] > > If I don't see any solution emerging in a reasonable time frame, my next > >

Re: privilege escalation and potential data loss in logrotate

2010-12-10 Thread Olaf van der Spek
On Fri, Dec 10, 2010 at 11:00 AM, Paul Martin wrote: > On Fri, Dec 10, 2010 at 10:17:53AM +0100, Sandro Tosi wrote: > >> If you really care about this problem, which is nice, try to get >> logrotate fixed. > > As I have said before, I do welcome patches that don't break existing > functionality or

Re: privilege escalation and potential data loss in logrotate

2010-12-10 Thread Paul Martin
On Fri, Dec 10, 2010 at 10:17:53AM +0100, Sandro Tosi wrote: > If you really care about this problem, which is nice, try to get > logrotate fixed. As I have said before, I do welcome patches that don't break existing functionality or introduce new race conditions. None of my emails to Florian ar

Re: privilege escalation and potential data loss in logrotate

2010-12-10 Thread Sandro Tosi
(copying the thread to debian-devel, where mass-bug-fills *has to* be discussed, not d-qa) On Sat, Nov 20, 2010 at 08:23, Florian Zumbiehl wrote: > Hi, > > The short summary: > > 1. There is a privilege escalation vulnerability in stable's logrotate, >   verified to work for switching from the po

Re: privilege escalation and potential data loss in logrotate

2010-11-21 Thread Florian Zumbiehl
Hi, > On Sat, Nov 20, 2010 at 08:23:44AM +0100, Florian Zumbiehl wrote: > > The short summary: > > > > 1. There is a privilege escalation vulnerability in stable's logrotate, > >verified to work for switching from the postgres user to root, probably > >affecting the system users of about

Re: privilege escalation and potential data loss in logrotate

2010-11-21 Thread Paul Martin
On Sat, Nov 20, 2010 at 08:23:44AM +0100, Florian Zumbiehl wrote: > The short summary: > > 1. There is a privilege escalation vulnerability in stable's logrotate, >verified to work for switching from the postgres user to root, probably >affecting the system users of about 40 packages. A fi

privilege escalation and potential data loss in logrotate

2010-11-20 Thread Florian Zumbiehl
Hi, The short summary: 1. There is a privilege escalation vulnerability in stable's logrotate, verified to work for switching from the postgres user to root, probably affecting the system users of about 40 packages. A fix for this has been in testing for about a year now, the original bu