http://bugzilla.suse.com/show_bug.cgi?id=1150554 Matthias Gerstner changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1156643 Comment #1 is|1 |0 private| | Group|SUSE Security Internal, | |novellonly | -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1150554 Bug 1150554 depends on bug 1156643, which changed state. Bug 1156643 Summary: VUL-0: CVE-2019-18932: sarg: insecure usage of /tmp/sarg allows privilege escalation / DoS vector http://bugzilla.suse.com/show_bug.cgi?id=1156643 What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1150554 http://bugzilla.suse.com/show_bug.cgi?id=1150554#c5 --- Comment #5 from Matthias Gerstner --- I have replaced the submission by sr#780202 in the meantime. In the original approach only the cron job dropped privileges. But this could have caused additional security issues when somebody calls sarg-reports a different way (e.g. manually on the command line). Therefore I've moved the privilege drop code into the sarg-reports script itself. It now drops privilege to the owner:group of the /srv/www/sarg directory. This also allows users to easily restore the original behaviour with sarg running as root, if desired for some reason. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1150554 http://bugzilla.suse.com/show_bug.cgi?id=1150554#c7 --- Comment #7 from Thomas Abraham --- I got an email about sarg build failing in factory since March 19th. I'm assuming that they haven't been whitelisted yet? Log shows: [ 30s] sarg.x86_64: E: cronjob-changed-file (Badness: 10000) /etc/cron.daily/suse.de-sarg [ 30s] sarg.x86_64: E: cronjob-changed-file (Badness: 10000) /etc/cron.monthly/suse.de-sarg [ 30s] sarg.x86_64: E: cronjob-changed-file (Badness: 10000) /etc/cron.weekly/suse.de-sarg [ 30s] A cron job or cron job related file installed by this package changed [ 30s] in content. Please open a bug report to request follow-up review of the [ 30s] introduced changes by the security team. Please refer to [ 30s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 30s] more information. [ 30s] [ 30s] (none): E: badness 30000 exceeds threshold 1000, aborting. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1150554 http://bugzilla.suse.com/show_bug.cgi?id=1150554#c9 --- Comment #9 from Matthias Gerstner --- A fix is on the way via sr#790150 to Factory. Sorry for the inconvenience, turned out test coverage was still not high enough for the new rpmlint-check. -- You are receiving this mail because: You are on the CC list for the bug.