[Pkg-clamav-devel] Bug#606543: clamav-freshclam: affected by privilege escalation vulnerability in logrotate

Michael Tautschnig mt at debian.org
Fri Dec 10 08:43:04 UTC 2010 

(CC'ed debian-devel as this was a not-so-well coordinated MBF without
announcement to debian-devel, dd-list, usertags; so maybe at least further
discussion can happen there)

Hi Florian,

[...]
> 
> These lines from this package's maintainer scripts suggest that it likely
> is affected by the vulnerability:
> 
> ---------------------------------------------------------------------------
> chmod 640 $FRESHCLAMLOGFILE
> chown "$dbowner":adm $FRESHCLAMLOGFILE
> ---------------------------------------------------------------------------
> 

What is wrong about these two lines? And even from ...

[...]

> For some further details please see my announcement of this mass
> filing on debian-qa:
> 
> http://lists.debian.org/debian-qa/2010/11/msg00024.html
> 
[...]

... I don't quite understand why this would be problem specific to one of the
packages you did the MBF for. If I get the idea of your exploit right, you
replace the log file by a symlink to a root-owned file, and in some mysterious
way you then seem to be able to overwrite the root-owned file. Well, it will
suffice for the evil person to be in adm group, you don't need to be $package
user for doing that.

But ok, you don't even claim there's a specific bug in our package, it's all
logrotate's fault. Assuming clamav uses logrotate in a sane way (I wouldn't no
of anyone claiming it does not), what should we do? Drop log rotation? Cool,
thanks, then the security-tagged bug report against clamav is actually justified
because it'll soon fill up your disk, possibly resulting in a DoS. Come up with
it's own cron-job for log rotation? No, thank you.

At present, the only thing I'd plan to do is to either reassign this bug to
logrotate or simply close it.

Best regards,
Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20101210/2a491431/attachment-0001.pgp>

More information about the Pkg-clamav-devel mailing list