1 |
On Monday 24 Sep 2007, Steve Long wrote: |
2 |
> Arturo Garcia wrote: |
3 |
> > The thing is that I haven't been able to contact him, nor anyone from |
4 |
> > gentoo-security for over a week (I have written to security@g.o |
5 |
> > and the M-L). We are in a deadlock situation at the moment because infra |
6 |
> > has requested them to check the site (they have provided taviso with |
7 |
> > details and a live setup), and unless it is checked it won't be put live. |
8 |
> |
9 |
> According to: http://www.gentoo.org/proj/en/devrel/roll-call/devaway.xml |
10 |
> taviso has "sporadic internet access for a while." As such you're unlikely |
11 |
> to find him on IRC, and his response to mailing-lists and the like is |
12 |
> probably not going to be the best. Given that he's probably starting |
13 |
> college or University as well, I doubt that he has much time to spare. |
14 |
That link is new for me... I will check it in the future. Thanks a lot. |
15 |
|
16 |
> |
17 |
> From the bug: |
18 |
> > My first impression: absolutely necessary to rework the whole service. |
19 |
> > There are INSERT statements which do not refer to column names but to the |
20 |
> > sequence columns were created (INSERT INTO table Values(...)). The CREATE |
21 |
> > TABLE scripts miss columns (is_masked and prevarch) and primary keys as |
22 |
> > well as joins are (based on) VARCHARs. I'll write a sort of report and |
23 |
> > host it somewhere on the mirror (including patch impact analysis) so |
24 |
> > maybe the code maintainer has a point to start from. |
25 |
> |
26 |
> This is now all transparent public knowledge. As such no security team |
27 |
> worth their salt are going to leave these holes open. Remember that all the |
28 |
> code mentioned above has been freely available for several years. |
29 |
This is ridiculous. We are trying to bring up a service that was brought down |
30 |
because a command-injection vulnerability, and that is the bug we are trying |
31 |
to close. The solution to this problem is what has been required to be |
32 |
tested. Please don't deviate with arguments work that has to be done. |
33 |
|
34 |
If there are other vulnerabilities found, then they can be put into the |
35 |
security report and we can take it from there. Before making this kind of |
36 |
comments I would suggest you get into the source code and you will find out |
37 |
that those mentioned vulnerabilities (INSERTS, etc...) are in the cron |
38 |
scripts that populate the database. They will not (though this has to be |
39 |
tested) be public-facing via apache from the scripts that raised the bug. |
40 |
|
41 |
> If you have the comprehensive report mentioned, please post it to the bug. |
42 |
> A patch to implement the fixes you found, would make the _audit_ process |
43 |
> even quicker. |
44 |
I didn't make the post you mention. They were made by Onkobu and it is pretty |
45 |
obvious that the post doesn't go hand-by-hand with a full security report. |
46 |
Hence the 'My first impression'. |
47 |
|
48 |
My BEST regards, |
49 |
|
50 |
Arturo. |
51 |
|
52 |
And... The site hasn't been tested yet guys... Anyone stepping forward? |
53 |
|
54 |
|
55 |
-- |
56 |
gentoo-project@g.o mailing list |