[Bug 891268] New: Squid permissions and setbadness handling
https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c0 Summary: Squid permissions and setbadness handling Classification: openSUSE Product: openSUSE Factory Version: 201407* Platform: All OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: boris@steki.net QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Squid proxy server now has correct permissions handling and as such in this moment uses setBadness in squid-rpmlintrc, so to be able to push this change into Factory we need it to be resolved with security team. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c1 Boris Manojlovic <boris@steki.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |boris@steki.net --- Comment #1 from Boris Manojlovic <boris@steki.net> 2014-08-11 09:09:36 UTC --- Development Project: server:proxy/squid -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c2 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com Summary|Squid permissions and |AUDIT-0: server:proxy/squid |setbadness handling |permissions and setbadness | |handling --- Comment #2 from Marcus Meissner <meissner@suse.com> 2014-08-11 13:27:25 UTC --- /var/cache/squid/ squid:root 750 /var/log/squid/ squid:root 750 /usr/sbin/pinger root:squid 4750 /usr/sbin/basic_pam_auth root:shadow 2750 are the permissions wanted. First comments_ - we lived without pinger being setuid root for now. why is it needed now? - basic_pam_auth ... sounds like a helper we have in various iterations /sbin/unix2_chkpwd or /sbin/unix_chkpwd we could use those. logfiles ... ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c3 --- Comment #3 from Boris Manojlovic <boris@steki.net> 2014-08-12 13:30:04 UTC --- Why now all of this? I have just followed all things that are supposed to be done packaging this package as outlined in packaging guidelines - Logfiles sure can be removed (that is not new stuff look at package in factory https://build.opensuse.org/package/view_file/openSUSE:Factory/squid/squid.pe...) - pinger no need it is anyway for very specific use case with upstream proxy servers - basic_pam_auth you are correct but i do not have time to write c wrapper by myself in this moment For me returning everything as it was is ok but it is up to you to decide -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c4 --- Comment #4 from Marcus Meissner <meissner@suse.com> 2014-08-14 08:11:17 UTC --- we just need to review the things, which is a usual step in the process. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c5 --- Comment #5 from Boris Manojlovic <boris@steki.net> 2014-08-14 08:17:51 UTC --- Just realized that my comment could be interpreted as not well intended meaning for what I sincerely apologize. I was questioning myself not you with first question. There was no intention to rush anything in your workflow. Sometimes text can not express what was meaning of thought process of person behind keyboard. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c6 --- Comment #6 from Christian Wittmer <chris@computersalat.de> 2014-09-04 16:50:46 UTC --- I did the 'setuid' root for /usr/sbin/pinger. pinger does not work without beeing 'setuid' root. If you have other ideas, to get this fixed then just let me know. I am open for any suggestion. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c7 --- Comment #7 from Sebastian Krahmer <krahmer@suse.com> 2014-09-09 08:39:37 UTC --- Created an attachment (id=605504) --> (http://bugzilla.novell.com/attachment.cgi?id=605504) squid-icmp-DoS.patch Fixing a DoS in the ICMP pinger. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c8 --- Comment #8 from Sebastian Krahmer <krahmer@suse.com> 2014-09-09 08:42:17 UTC --- Please remove the suid bit from pinger and instead use the file-capability "cap_net_raw". This suffices for opening RAW sockets. We use the same for the ping binary too. It should work out of the box. If it doesnt, we can adjust the pinger code. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c9 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|AUDIT-0: server:proxy/squid |AUDIT-0: VUL-1: |permissions and setbadness |CVE-2014-0486: |handling |server:proxy/squid | |permissions and setbadness | |handling Alias| |CVE-2014-0486 --- Comment #9 from Marcus Meissner <meissner@suse.com> 2014-09-11 14:29:16 UTC --- CVE-2014-0486 was assigned to pinger issue apparently. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c10 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P4 - Low --- Comment #10 from Swamp Workflow Management <swamp@suse.de> 2014-09-11 22:00:11 UTC --- bugbot adjusting priority -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c11 --- Comment #11 from Marcus Meissner <meissner@suse.com> 2014-09-12 13:08:46 UTC --- sebastian, did you email the squid people? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c12 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| | maint:planned:update --- Comment #12 from SMASH SMASH <smash_bz@suse.de> 2014-09-12 13:15:14 UTC --- Affected packages: SLE-11-SP3: squid3 SLE-11-SP3-PRODUCTS: squid3 SLE-11-SP3-UPTU: squid3 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c13 Amos Jeffries <squid3@treenet.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |squid3@treenet.co.nz --- Comment #13 from Amos Jeffries <squid3@treenet.co.nz> 2014-09-13 15:26:20 UTC --- Squid mail server is down at present so official line of contact is cut. But I (upstream) am aware of this from reading this bug report anyway, so upstream patch and release fixing the array access segfault will be published over the next few days. CVE-2014-0486 appears to have been assigned to unrelated software judging by the Debian security team records for it. Am getting that checked. The last advisory we were allocated was in the 36nn range, so I expect this will be something higher. A patch implementing the cap_net_raw permission is greatly appreciated. It can be linked here or mailed to me directly. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c14 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|AUDIT-0: VUL-1: |AUDIT-0: VUL-1: |CVE-2014-0486: |server:proxy/squid |server:proxy/squid |permissions and setbadness |permissions and setbadness |handling |handling | Alias|CVE-2014-0486 | --- Comment #14 from Marcus Meissner <meissner@suse.com> 2014-09-16 05:15:21 UTC --- The CVE was incorrectly used here, another CVE is needed for squid/pinger dos. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c15 --- Comment #15 from Sebastian Krahmer <krahmer@suse.com> 2014-09-16 07:16:50 UTC --- For me the code looks like it could run with cap_net_raw as is. The setgid/setuid wont fail if its running non-suid and automatically drops gid/uid in case its made +s. If you experiance that there are other problems with the caps, I am happy to provide a patch. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c16 --- Comment #16 from Boris Manojlovic <boris@steki.net> 2014-09-16 08:38:26 UTC --- Created an attachment (id=606482) --> (http://bugzilla.novell.com/attachment.cgi?id=606482) icmp pinger DOS patch updated to compile on 3.4.7 Fixed patch for ICMP DOS, function prototype for forgotten - fixed -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=891268 --- Comment #20 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (891268) was mentioned in https://build.opensuse.org/request/show/259903 Factory / permissions -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=891268 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| maint:planned:update |maint:planned:update | |ibs:running:1207:moderate -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=891268 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|maint:planned:update |maint:planned:update |ibs:running:1207:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=891268 http://bugzilla.novell.com/show_bug.cgi?id=891268#c26 --- Comment #26 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2015:1848-1: An update that has 6 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 685093,891268,895647,904060,906336,943471 CVE References: Sources used: SUSE Linux Enterprise Server 12 (src): permissions-2015.09.28.1626-3.1 SUSE Linux Enterprise Desktop 12 (src): permissions-2015.09.28.1626-3.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=891268 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|maint:planned:update |maint:planned:update | |obs:running:4169:moderate -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=891268 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|maint:planned:update |maint:planned:update |obs:running:4169:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=891268 http://bugzilla.novell.com/show_bug.cgi?id=891268#c27 --- Comment #27 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-RU-2015:1973-1: An update that has 6 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 685093,891268,895647,904060,906336,943471 CVE References: Sources used: openSUSE Leap 42.1 (src): permissions-2015.09.28.1626-5.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=891268 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|maint:planned:update | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com