https://bugzilla.novell.com/show_bug.cgi?id=891268
https://bugzilla.novell.com/show_bug.cgi?id=891268#c0
Summary: Squid permissions and setbadness handling Classification: openSUSE Product: openSUSE Factory Version: 201407* Platform: All OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: boris@steki.net QAContact: qa-bugs@suse.de Found By: --- Blocker: ---
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0
Squid proxy server now has correct permissions handling and as such in this moment uses setBadness in squid-rpmlintrc, so to be able to push this change into Factory we need it to be resolved with security team.
Reproducible: Always
Steps to Reproduce: 1. 2. 3.
https://bugzilla.novell.com/show_bug.cgi?id=891268
https://bugzilla.novell.com/show_bug.cgi?id=891268#c1
Boris Manojlovic boris@steki.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |boris@steki.net
--- Comment #1 from Boris Manojlovic boris@steki.net 2014-08-11 09:09:36 UTC --- Development Project: server:proxy/squid
https://bugzilla.novell.com/show_bug.cgi?id=891268
https://bugzilla.novell.com/show_bug.cgi?id=891268#c2
Marcus Meissner meissner@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com Summary|Squid permissions and |AUDIT-0: server:proxy/squid |setbadness handling |permissions and setbadness | |handling
--- Comment #2 from Marcus Meissner meissner@suse.com 2014-08-11 13:27:25 UTC --- /var/cache/squid/ squid:root 750 /var/log/squid/ squid:root 750 /usr/sbin/pinger root:squid 4750 /usr/sbin/basic_pam_auth root:shadow 2750
are the permissions wanted.
First comments_ - we lived without pinger being setuid root for now. why is it needed now?
- basic_pam_auth ... sounds like a helper we have in various iterations
/sbin/unix2_chkpwd or /sbin/unix_chkpwd
we could use those.
logfiles ... ?
https://bugzilla.novell.com/show_bug.cgi?id=891268
https://bugzilla.novell.com/show_bug.cgi?id=891268#c3
--- Comment #3 from Boris Manojlovic boris@steki.net 2014-08-12 13:30:04 UTC --- Why now all of this?
I have just followed all things that are supposed to be done packaging this package as outlined in packaging guidelines
- Logfiles sure can be removed (that is not new stuff look at package in factory https://build.opensuse.org/package/view_file/openSUSE:Factory/squid/squid.pe...) - pinger no need it is anyway for very specific use case with upstream proxy servers - basic_pam_auth you are correct but i do not have time to write c wrapper by myself in this moment
For me returning everything as it was is ok but it is up to you to decide
https://bugzilla.novell.com/show_bug.cgi?id=891268
https://bugzilla.novell.com/show_bug.cgi?id=891268#c4
--- Comment #4 from Marcus Meissner meissner@suse.com 2014-08-14 08:11:17 UTC --- we just need to review the things, which is a usual step in the process.
https://bugzilla.novell.com/show_bug.cgi?id=891268
https://bugzilla.novell.com/show_bug.cgi?id=891268#c5
--- Comment #5 from Boris Manojlovic boris@steki.net 2014-08-14 08:17:51 UTC --- Just realized that my comment could be interpreted as not well intended meaning for what I sincerely apologize. I was questioning myself not you with first question. There was no intention to rush anything in your workflow. Sometimes text can not express what was meaning of thought process of person behind keyboard.
https://bugzilla.novell.com/show_bug.cgi?id=891268
https://bugzilla.novell.com/show_bug.cgi?id=891268#c6
--- Comment #6 from Christian Wittmer chris@computersalat.de 2014-09-04 16:50:46 UTC --- I did the 'setuid' root for /usr/sbin/pinger.
pinger does not work without beeing 'setuid' root. If you have other ideas, to get this fixed then just let me know. I am open for any suggestion.
https://bugzilla.novell.com/show_bug.cgi?id=891268
https://bugzilla.novell.com/show_bug.cgi?id=891268#c7
--- Comment #7 from Sebastian Krahmer krahmer@suse.com 2014-09-09 08:39:37 UTC --- Created an attachment (id=605504) --> (http://bugzilla.novell.com/attachment.cgi?id=605504) squid-icmp-DoS.patch
Fixing a DoS in the ICMP pinger.
https://bugzilla.novell.com/show_bug.cgi?id=891268
https://bugzilla.novell.com/show_bug.cgi?id=891268#c8
--- Comment #8 from Sebastian Krahmer krahmer@suse.com 2014-09-09 08:42:17 UTC --- Please remove the suid bit from pinger and instead use the file-capability "cap_net_raw". This suffices for opening RAW sockets. We use the same for the ping binary too. It should work out of the box. If it doesnt, we can adjust the pinger code.
https://bugzilla.novell.com/show_bug.cgi?id=891268
https://bugzilla.novell.com/show_bug.cgi?id=891268#c9
Marcus Meissner meissner@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|AUDIT-0: server:proxy/squid |AUDIT-0: VUL-1: |permissions and setbadness |CVE-2014-0486: |handling |server:proxy/squid | |permissions and setbadness | |handling Alias| |CVE-2014-0486
--- Comment #9 from Marcus Meissner meissner@suse.com 2014-09-11 14:29:16 UTC --- CVE-2014-0486 was assigned to pinger issue apparently.
https://bugzilla.novell.com/show_bug.cgi?id=891268
https://bugzilla.novell.com/show_bug.cgi?id=891268#c10
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P4 - Low
--- Comment #10 from Swamp Workflow Management swamp@suse.de 2014-09-11 22:00:11 UTC --- bugbot adjusting priority
https://bugzilla.novell.com/show_bug.cgi?id=891268
https://bugzilla.novell.com/show_bug.cgi?id=891268#c11
--- Comment #11 from Marcus Meissner meissner@suse.com 2014-09-12 13:08:46 UTC --- sebastian, did you email the squid people?
https://bugzilla.novell.com/show_bug.cgi?id=891268
https://bugzilla.novell.com/show_bug.cgi?id=891268#c12
SMASH SMASH smash_bz@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| | maint:planned:update
--- Comment #12 from SMASH SMASH smash_bz@suse.de 2014-09-12 13:15:14 UTC --- Affected packages:
SLE-11-SP3: squid3 SLE-11-SP3-PRODUCTS: squid3 SLE-11-SP3-UPTU: squid3
https://bugzilla.novell.com/show_bug.cgi?id=891268
https://bugzilla.novell.com/show_bug.cgi?id=891268#c13
Amos Jeffries squid3@treenet.co.nz changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |squid3@treenet.co.nz
--- Comment #13 from Amos Jeffries squid3@treenet.co.nz 2014-09-13 15:26:20 UTC --- Squid mail server is down at present so official line of contact is cut. But I (upstream) am aware of this from reading this bug report anyway, so upstream patch and release fixing the array access segfault will be published over the next few days.
CVE-2014-0486 appears to have been assigned to unrelated software judging by the Debian security team records for it. Am getting that checked. The last advisory we were allocated was in the 36nn range, so I expect this will be something higher.
A patch implementing the cap_net_raw permission is greatly appreciated. It can be linked here or mailed to me directly.
https://bugzilla.novell.com/show_bug.cgi?id=891268
https://bugzilla.novell.com/show_bug.cgi?id=891268#c14
Marcus Meissner meissner@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|AUDIT-0: VUL-1: |AUDIT-0: VUL-1: |CVE-2014-0486: |server:proxy/squid |server:proxy/squid |permissions and setbadness |permissions and setbadness |handling |handling | Alias|CVE-2014-0486 |
--- Comment #14 from Marcus Meissner meissner@suse.com 2014-09-16 05:15:21 UTC --- The CVE was incorrectly used here, another CVE is needed for squid/pinger dos.
https://bugzilla.novell.com/show_bug.cgi?id=891268
https://bugzilla.novell.com/show_bug.cgi?id=891268#c15
--- Comment #15 from Sebastian Krahmer krahmer@suse.com 2014-09-16 07:16:50 UTC --- For me the code looks like it could run with cap_net_raw as is. The setgid/setuid wont fail if its running non-suid and automatically drops gid/uid in case its made +s.
If you experiance that there are other problems with the caps, I am happy to provide a patch.
https://bugzilla.novell.com/show_bug.cgi?id=891268
https://bugzilla.novell.com/show_bug.cgi?id=891268#c16
--- Comment #16 from Boris Manojlovic boris@steki.net 2014-09-16 08:38:26 UTC --- Created an attachment (id=606482) --> (http://bugzilla.novell.com/attachment.cgi?id=606482) icmp pinger DOS patch updated to compile on 3.4.7
Fixed patch for ICMP DOS, function prototype for forgotten - fixed
http://bugzilla.novell.com/show_bug.cgi?id=891268
--- Comment #20 from Bernhard Wiedemann bwiedemann@suse.com --- This is an autogenerated message for OBS integration: This bug (891268) was mentioned in https://build.opensuse.org/request/show/259903 Factory / permissions
http://bugzilla.novell.com/show_bug.cgi?id=891268
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| maint:planned:update |maint:planned:update | |ibs:running:1207:moderate
http://bugzilla.novell.com/show_bug.cgi?id=891268
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|maint:planned:update |maint:planned:update |ibs:running:1207:moderate |
http://bugzilla.novell.com/show_bug.cgi?id=891268 http://bugzilla.novell.com/show_bug.cgi?id=891268#c26
--- Comment #26 from Swamp Workflow Management swamp@suse.de --- SUSE-RU-2015:1848-1: An update that has 6 recommended fixes can now be installed.
Category: recommended (moderate) Bug References: 685093,891268,895647,904060,906336,943471 CVE References: Sources used: SUSE Linux Enterprise Server 12 (src): permissions-2015.09.28.1626-3.1 SUSE Linux Enterprise Desktop 12 (src): permissions-2015.09.28.1626-3.1
http://bugzilla.novell.com/show_bug.cgi?id=891268
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|maint:planned:update |maint:planned:update | |obs:running:4169:moderate
http://bugzilla.novell.com/show_bug.cgi?id=891268
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|maint:planned:update |maint:planned:update |obs:running:4169:moderate |
http://bugzilla.novell.com/show_bug.cgi?id=891268 http://bugzilla.novell.com/show_bug.cgi?id=891268#c27
--- Comment #27 from Swamp Workflow Management swamp@suse.de --- openSUSE-RU-2015:1973-1: An update that has 6 recommended fixes can now be installed.
Category: recommended (moderate) Bug References: 685093,891268,895647,904060,906336,943471 CVE References: Sources used: openSUSE Leap 42.1 (src): permissions-2015.09.28.1626-5.1
http://bugzilla.novell.com/show_bug.cgi?id=891268
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|maint:planned:update |
-
bugzilla_noreply@novell.com