Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20171020223757.GA28323@hunt>
Date: Fri, 20 Oct 2017 15:37:58 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-8805: Unsafe symlinks not filtered in
 Debian mirror script ftpsync

On Thu, Oct 19, 2017 at 08:32:55PM +0000, Robert Watson wrote:
> Scripts depend on the underlying functionality of the various utilities
> like rsync that they call. I'm having trouble understanding how a script
> could ever be deserving of a CVE. Maybe I'm wrong. I wish to be educated.

I'm not sure what 'script' vs 'not-script' has to do with anything.
'Script' really just means "interpreted programming language" and says
nothing about the threat model in use.

This ftpsync script and similar scripts are the primary tool for mirroring
Debian, Ubuntu, and other derived Linux distributions, to the mirror
networks that support many millions of computers.

Probably other programs use rsync without --safe-links when they should.
I didn't know the option existed until this thread was started (seriously,
rsync(1) is a HUGE manpage) so I'm grateful to the original reporter
for sending it along.

> We are overwhelmed with more vulnerabilities than can be fixed quickly
> already.

Yes.

> Are "just to be safer" type things really a wise use of our resources?

Yes. I think we all wish to see software that's less likely to fail.

> Does a proliferation of a large number of low-caliber problems make
> monitoring these lists more trouble than it's worth? Does it cause
> high-impact problems to be lost amongst low-impact ones?

It's up to you how you prioritize your time. For this issue, I updated my
own personal mirroring script and a co-worker updated our wiki page:
https://wiki.ubuntu.com/Mirrors/Scripts
These steps took a few minutes and are unlikely to cause problems so it
was an easy choice. Filing for a CVE for a wiki page feels like a waste of
time so I'm not going to bother. The page is fixed and users can adopt the
change if they wish.

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.