Message-ID: <email address hidden>
Date: Fri, 7 Oct 2005 10:25:00 +0200
From: =?iso-8859-1?Q?Lo=EFc?= Minier <email address hidden>
To: Paul Szabo <email address hidden>, <email address hidden>,
Debian Security Team <email address hidden>
Subject: Re: gnome-pty-helper foo
Hi,
On Fri, Oct 07, 2005, Martin Schulze wrote:
> Could somebody explain the security implication for me?
You can record in the utmp/wtmp logs something which is wrong, for
example that an user is currently connected to a display while he
isn't. I'm not the one to argue with though.
> being able to write arbitrary strings into valid records without
> overwriting any other data in utmp/wtmp can hardly be classified
> as a security vulnerability.
I have no idea, I'll let you judge of such things. Since
gnome-pty-helper seemed to have some special permission to write to
utmp (because it is sgid), I took the problem seriously. Whether this
issue is to be considered a security vulnerability or not, I couldn't
tell for sure, and in doubt I selected security, but I agree that it's
a minor issue anyway.
> (Apart from that, I'm only slightly annoyed as I had to learn about
> this via MITRE / GNOME Bugzilla instead of a mail from the maintainer
> to the security team?)
For my defense (as I am the one which followed more or less this bug),
I'd claim that a/ this was reported against a GNOME 1 package (and it
was later discovered that the GNOME 2 package is affected too) which
was in the process of being orphaned, b/ this seemed like a very minor
issue, c/ I thought you were tracking "tags + security" bugs, and d/ I
didn't want to start bothering the security team for an issue not
discussed with upstream and without any patch. Of course, there's also
e/ I don't have any security background or training, but that's
obvious.
My usual way of handling of sec bugs is i/ tag the bug security,
connect the relevant CVE ids, upstream bugs, available patches, ii/
talk with upstream, check the affected versions, check the patch causes
no regression, check the patch applies everywhere, check the patch
fixes the issue iii/ proposed a diff to the security team.
I know realize I should have contacted the security team quite
immediately, and will do so in the future.
I have more important things to track right now that this
vulnerability, and I didn't have any response from upstream yet.
Message-ID: <email address hidden> 1?Q?Lo= EFc?= Minier <email address hidden>
Date: Fri, 7 Oct 2005 10:25:00 +0200
From: =?iso-8859-
To: Paul Szabo <email address hidden>, <email address hidden>,
Debian Security Team <email address hidden>
Subject: Re: gnome-pty-helper foo
Hi,
On Fri, Oct 07, 2005, Martin Schulze wrote:
> Could somebody explain the security implication for me?
You can record in the utmp/wtmp logs something which is wrong, for
example that an user is currently connected to a display while he
isn't. I'm not the one to argue with though.
> being able to write arbitrary strings into valid records without
> overwriting any other data in utmp/wtmp can hardly be classified
> as a security vulnerability.
I have no idea, I'll let you judge of such things. Since
gnome-pty-helper seemed to have some special permission to write to
utmp (because it is sgid), I took the problem seriously. Whether this
issue is to be considered a security vulnerability or not, I couldn't
tell for sure, and in doubt I selected security, but I agree that it's
a minor issue anyway.
> (Apart from that, I'm only slightly annoyed as I had to learn about
> this via MITRE / GNOME Bugzilla instead of a mail from the maintainer
> to the security team?)
For my defense (as I am the one which followed more or less this bug),
I'd claim that a/ this was reported against a GNOME 1 package (and it
was later discovered that the GNOME 2 package is affected too) which
was in the process of being orphaned, b/ this seemed like a very minor
issue, c/ I thought you were tracking "tags + security" bugs, and d/ I
didn't want to start bothering the security team for an issue not
discussed with upstream and without any patch. Of course, there's also
e/ I don't have any security background or training, but that's
obvious.
My usual way of handling of sec bugs is i/ tag the bug security,
connect the relevant CVE ids, upstream bugs, available patches, ii/
talk with upstream, check the affected versions, check the patch causes
no regression, check the patch applies everywhere, check the patch
fixes the issue iii/ proposed a diff to the security team.
I know realize I should have contacted the security team quite
immediately, and will do so in the future.
I have more important things to track right now that this
vulnerability, and I didn't have any response from upstream yet.
Cheers,
--=20
Lo=EFc Minier <email address hidden>