[Bug 891268] New: Squid permissions and setbadness handling

newer
[Bug 911620] svn server (svnserve)...

older
[Bug 963023] fontforge crash with...

bugzilla_noreply＠novell.com

11 Aug 2014 11 Aug '14

09:08

https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c0 Summary: Squid permissions and setbadness handling Classification: openSUSE Product: openSUSE Factory Version: 201407* Platform: All OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: boris@steki.net QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Squid proxy server now has correct permissions handling and as such in this moment uses setBadness in squid-rpmlintrc, so to be able to push this change into Factory we need it to be resolved with security team. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Show replies by date

bugzilla_noreply＠novell.com

11 Aug 11 Aug

09:09

New subject: [Bug 891268] Squid permissions and setbadness handling

https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c1 Boris Manojlovic changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |boris@steki.net --- Comment #1 from Boris Manojlovic 2014-08-11 09:09:36 UTC --- Development Project: server:proxy/squid -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13:27

New subject: [Bug 891268] AUDIT-0: server:proxy/squid permissions and setbadness handling

https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c2 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com Summary|Squid permissions and |AUDIT-0: server:proxy/squid |setbadness handling |permissions and setbadness | |handling --- Comment #2 from Marcus Meissner 2014-08-11 13:27:25 UTC --- /var/cache/squid/ squid:root 750 /var/log/squid/ squid:root 750 /usr/sbin/pinger root:squid 4750 /usr/sbin/basic_pam_auth root:shadow 2750 are the permissions wanted. First comments_ - we lived without pinger being setuid root for now. why is it needed now? - basic_pam_auth ... sounds like a helper we have in various iterations /sbin/unix2_chkpwd or /sbin/unix_chkpwd we could use those. logfiles ... ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12 Aug 12 Aug

13:30

New subject: [Bug 891268] AUDIT-0: server:proxy/squid permissions and setbadness handling

https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c3 --- Comment #3 from Boris Manojlovic 2014-08-12 13:30:04 UTC --- Why now all of this? I have just followed all things that are supposed to be done packaging this package as outlined in packaging guidelines - Logfiles sure can be removed (that is not new stuff look at package in factory https://build.opensuse.org/package/view_file/openSUSE:Factory/squid/squid.pe...) - pinger no need it is anyway for very specific use case with upstream proxy servers - basic_pam_auth you are correct but i do not have time to write c wrapper by myself in this moment For me returning everything as it was is ok but it is up to you to decide -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

14 Aug 14 Aug

08:11

New subject: [Bug 891268] AUDIT-0: server:proxy/squid permissions and setbadness handling

https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c4 --- Comment #4 from Marcus Meissner 2014-08-14 08:11:17 UTC --- we just need to review the things, which is a usual step in the process. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

08:17

New subject: [Bug 891268] AUDIT-0: server:proxy/squid permissions and setbadness handling

https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c5 --- Comment #5 from Boris Manojlovic 2014-08-14 08:17:51 UTC --- Just realized that my comment could be interpreted as not well intended meaning for what I sincerely apologize. I was questioning myself not you with first question. There was no intention to rush anything in your workflow. Sometimes text can not express what was meaning of thought process of person behind keyboard. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

4 Sep 4 Sep

16:50

New subject: [Bug 891268] AUDIT-0: server:proxy/squid permissions and setbadness handling

https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c6 --- Comment #6 from Christian Wittmer 2014-09-04 16:50:46 UTC --- I did the 'setuid' root for /usr/sbin/pinger. pinger does not work without beeing 'setuid' root. If you have other ideas, to get this fixed then just let me know. I am open for any suggestion. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

9 Sep 9 Sep

08:39

New subject: [Bug 891268] AUDIT-0: server:proxy/squid permissions and setbadness handling

https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c7 --- Comment #7 from Sebastian Krahmer 2014-09-09 08:39:37 UTC --- Created an attachment (id=605504) --> (http://bugzilla.novell.com/attachment.cgi?id=605504) squid-icmp-DoS.patch Fixing a DoS in the ICMP pinger. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

08:42

New subject: [Bug 891268] AUDIT-0: server:proxy/squid permissions and setbadness handling

https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c8 --- Comment #8 from Sebastian Krahmer 2014-09-09 08:42:17 UTC --- Please remove the suid bit from pinger and instead use the file-capability "cap_net_raw". This suffices for opening RAW sockets. We use the same for the ping binary too. It should work out of the box. If it doesnt, we can adjust the pinger code. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11 Sep 11 Sep

14:29

New subject: [Bug 891268] AUDIT-0: VUL-1: CVE-2014-0486: server:proxy/squid permissions and setbadness handling

https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c9 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|AUDIT-0: server:proxy/squid |AUDIT-0: VUL-1: |permissions and setbadness |CVE-2014-0486: |handling |server:proxy/squid | |permissions and setbadness | |handling Alias| |CVE-2014-0486 --- Comment #9 from Marcus Meissner 2014-09-11 14:29:16 UTC --- CVE-2014-0486 was assigned to pinger issue apparently. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

22:00

New subject: [Bug 891268] AUDIT-0: VUL-1: CVE-2014-0486: server:proxy/squid permissions and setbadness handling

https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c10 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P4 - Low --- Comment #10 from Swamp Workflow Management 2014-09-11 22:00:11 UTC --- bugbot adjusting priority -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12 Sep 12 Sep

13:08

New subject: [Bug 891268] AUDIT-0: VUL-1: CVE-2014-0486: server:proxy/squid permissions and setbadness handling

https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c11 --- Comment #11 from Marcus Meissner 2014-09-12 13:08:46 UTC --- sebastian, did you email the squid people? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13:15

New subject: [Bug 891268] AUDIT-0: VUL-1: CVE-2014-0486: server:proxy/squid permissions and setbadness handling

https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c12 SMASH SMASH changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| | maint:planned:update --- Comment #12 from SMASH SMASH 2014-09-12 13:15:14 UTC --- Affected packages: SLE-11-SP3: squid3 SLE-11-SP3-PRODUCTS: squid3 SLE-11-SP3-UPTU: squid3 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13 Sep 13 Sep

15:26

New subject: [Bug 891268] AUDIT-0: VUL-1: CVE-2014-0486: server:proxy/squid permissions and setbadness handling

https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c13 Amos Jeffries changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |squid3@treenet.co.nz --- Comment #13 from Amos Jeffries 2014-09-13 15:26:20 UTC --- Squid mail server is down at present so official line of contact is cut. But I (upstream) am aware of this from reading this bug report anyway, so upstream patch and release fixing the array access segfault will be published over the next few days. CVE-2014-0486 appears to have been assigned to unrelated software judging by the Debian security team records for it. Am getting that checked. The last advisory we were allocated was in the 36nn range, so I expect this will be something higher. A patch implementing the cap_net_raw permission is greatly appreciated. It can be linked here or mailed to me directly. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

16 Sep 16 Sep

05:15

New subject: [Bug 891268] AUDIT-0: VUL-1: server:proxy/squid permissions and setbadness handling

https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c14 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|AUDIT-0: VUL-1: |AUDIT-0: VUL-1: |CVE-2014-0486: |server:proxy/squid |server:proxy/squid |permissions and setbadness |permissions and setbadness |handling |handling | Alias|CVE-2014-0486 | --- Comment #14 from Marcus Meissner 2014-09-16 05:15:21 UTC --- The CVE was incorrectly used here, another CVE is needed for squid/pinger dos. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

07:16

New subject: [Bug 891268] AUDIT-0: VUL-1: server:proxy/squid permissions and setbadness handling

https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c15 --- Comment #15 from Sebastian Krahmer 2014-09-16 07:16:50 UTC --- For me the code looks like it could run with cap_net_raw as is. The setgid/setuid wont fail if its running non-suid and automatically drops gid/uid in case its made +s. If you experiance that there are other problems with the caps, I am happy to provide a patch. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

08:38

New subject: [Bug 891268] AUDIT-0: VUL-1: server:proxy/squid permissions and setbadness handling

https://bugzilla.novell.com/show_bug.cgi?id=891268 https://bugzilla.novell.com/show_bug.cgi?id=891268#c16 --- Comment #16 from Boris Manojlovic 2014-09-16 08:38:26 UTC --- Created an attachment (id=606482) --> (http://bugzilla.novell.com/attachment.cgi?id=606482) icmp pinger DOS patch updated to compile on 3.4.7 Fixed patch for ICMP DOS, function prototype for forgotten - fixed -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.