| 1 |
On Monday 24 Sep 2007, Steve Long wrote: |
| 2 |
> Arturo Garcia wrote: |
| 3 |
> > The thing is that I haven't been able to contact him, nor anyone from |
| 4 |
> > gentoo-security for over a week (I have written to security@g.o |
| 5 |
> > and the M-L). We are in a deadlock situation at the moment because infra |
| 6 |
> > has requested them to check the site (they have provided taviso with |
| 7 |
> > details and a live setup), and unless it is checked it won't be put live. |
| 8 |
> |
| 9 |
> According to: http://www.gentoo.org/proj/en/devrel/roll-call/devaway.xml |
| 10 |
> taviso has "sporadic internet access for a while." As such you're unlikely |
| 11 |
> to find him on IRC, and his response to mailing-lists and the like is |
| 12 |
> probably not going to be the best. Given that he's probably starting |
| 13 |
> college or University as well, I doubt that he has much time to spare. |
| 14 |
That link is new for me... I will check it in the future. Thanks a lot. |
| 15 |
|
| 16 |
> |
| 17 |
> From the bug: |
| 18 |
> > My first impression: absolutely necessary to rework the whole service. |
| 19 |
> > There are INSERT statements which do not refer to column names but to the |
| 20 |
> > sequence columns were created (INSERT INTO table Values(...)). The CREATE |
| 21 |
> > TABLE scripts miss columns (is_masked and prevarch) and primary keys as |
| 22 |
> > well as joins are (based on) VARCHARs. I'll write a sort of report and |
| 23 |
> > host it somewhere on the mirror (including patch impact analysis) so |
| 24 |
> > maybe the code maintainer has a point to start from. |
| 25 |
> |
| 26 |
> This is now all transparent public knowledge. As such no security team |
| 27 |
> worth their salt are going to leave these holes open. Remember that all the |
| 28 |
> code mentioned above has been freely available for several years. |
| 29 |
This is ridiculous. We are trying to bring up a service that was brought down |
| 30 |
because a command-injection vulnerability, and that is the bug we are trying |
| 31 |
to close. The solution to this problem is what has been required to be |
| 32 |
tested. Please don't deviate with arguments work that has to be done. |
| 33 |
|
| 34 |
If there are other vulnerabilities found, then they can be put into the |
| 35 |
security report and we can take it from there. Before making this kind of |
| 36 |
comments I would suggest you get into the source code and you will find out |
| 37 |
that those mentioned vulnerabilities (INSERTS, etc...) are in the cron |
| 38 |
scripts that populate the database. They will not (though this has to be |
| 39 |
tested) be public-facing via apache from the scripts that raised the bug. |
| 40 |
|
| 41 |
> If you have the comprehensive report mentioned, please post it to the bug. |
| 42 |
> A patch to implement the fixes you found, would make the _audit_ process |
| 43 |
> even quicker. |
| 44 |
I didn't make the post you mention. They were made by Onkobu and it is pretty |
| 45 |
obvious that the post doesn't go hand-by-hand with a full security report. |
| 46 |
Hence the 'My first impression'. |
| 47 |
|
| 48 |
My BEST regards, |
| 49 |
|
| 50 |
Arturo. |
| 51 |
|
| 52 |
And... The site hasn't been tested yet guys... Anyone stepping forward? |
| 53 |
|
| 54 |
|
| 55 |
-- |
| 56 |
gentoo-project@g.o mailing list |
Archives