Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-project
Navigation:
Lists: gentoo-project: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-project@g.o
From: Arturo Garcia <arturo.g.arturo@...>
Subject: Re: Re: gentoo security and packages.gentoo.org
Date: Mon, 24 Sep 2007 15:31:21 +0200
On Monday 24 Sep 2007, Steve Long wrote:
> Arturo Garcia wrote:
> >   The thing is that I haven't been able to contact him, nor anyone from
> > gentoo-security for over a week (I have written to security@g.o
> > and the M-L).  We are in a deadlock situation at the moment because infra
> > has requested them to check the site (they have provided taviso with
> > details and a live setup), and unless it is checked it won't be put live.
>
> According to: http://www.gentoo.org/proj/en/devrel/roll-call/devaway.xml
> taviso has "sporadic internet access for a while." As such you're unlikely
> to find him on IRC, and his response to mailing-lists and the like is
> probably not going to be the best. Given that he's probably starting
> college or University as well, I doubt that he has much time to spare.
That link is new for me...  I will check it in the future.  Thanks a lot.

>
> From the bug:
> > My first impression: absolutely necessary to rework the whole service.
> > There are INSERT statements which do not refer to column names but to the
> > sequence columns were created (INSERT INTO table Values(...)). The CREATE
> > TABLE scripts miss columns (is_masked and prevarch) and primary keys as
> > well as joins are (based on) VARCHARs. I'll write a sort of report and
> > host it somewhere on the mirror (including patch impact analysis) so
> > maybe the code maintainer has a point to start from.
>
> This is now all transparent public knowledge. As such no security team
> worth their salt are going to leave these holes open. Remember that all the
> code mentioned above has been freely available for several years.
This is ridiculous.  We are trying to bring up a service that was brought down 
because a command-injection vulnerability, and that is the bug we are trying 
to close.  The solution to this problem is what has been required to be 
tested.  Please don't deviate with arguments work that has to be done.

If there are other vulnerabilities found, then they can be put into the 
security report and we can take it from there.  Before making this kind of 
comments I would suggest you get into the source code and you will find out 
that those mentioned vulnerabilities (INSERTS, etc...) are in the cron 
scripts that populate the database.  They will not (though this has to be 
tested) be public-facing via apache from the scripts that raised the bug.

> If you have the comprehensive report mentioned, please post it to the bug.
> A patch to implement the fixes you found, would make the _audit_ process
> even quicker.
I didn't make the post you mention.  They were made by Onkobu and it is pretty 
obvious that the post doesn't go hand-by-hand with a full security report.  
Hence the 'My first impression'.

My BEST regards,

Arturo.

And... The site hasn't been tested yet guys... Anyone stepping forward?


-- 
gentoo-project@g.o mailing list


Replies:
Re: Re: gentoo security and packages.gentoo.org
-- Steve Long
References:
gentoo security and packages.gentoo.org
-- Arturo Garcia
Re: gentoo security and packages.gentoo.org
-- Steve Long
Navigation:
Lists: gentoo-project: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: gentoo security and packages.gentoo.org
Next by thread:
Re: Re: gentoo security and packages.gentoo.org
Previous by date:
Re: gentoo security and packages.gentoo.org
Next by date:
Re: Re: gentoo security and packages.gentoo.org


Updated Jun 17, 2009

Summary: Archive of the gentoo-project mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.