Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 24 Jan 2013 17:53:38 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/23/2013 09:25 AM, Jan Lieskovsky wrote:
Hello vendors,

just FYI notification that haproxy upstream has recently corrected
[2] improper dropping of supplementary groups [1] after setuid /
setgid calls.

We have further investigated this issue and have reasons to believe
that by itself this is NOT a security issue (another flaw would
need to be found in haproxy this to be actually possible to use for
something interesting).

For now we are considering this fix to be a preventive measure /
security hardening (but took the time to notify you explicitly
about this as you might still want to backport it into affected
versions).

Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
Security Response Team

P.S.: [1] https://bugzilla.redhat.com/show_bug.cgi?id=894626 [2]
http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=ab012dd3


So to be clear: haproxy fails to properly drop group privileges. Why
isn't this classified as a security vulnerability?

Well there is no way to exploit this that we're aware of, if you know
a way to exploit this please let us know.

What would make this a security vulnerability? Let's say for example
haproxy had an option to read or write to a file and did this with the
privileges it failed to drop (granting the attacker privilege
escalation) then it would be a security vulnerability.

So again, if you know of a way to exploit this please let us know,
otherwise we will continue to consider this a security hardening issue
and not a security vulnerability.

So as for this tweet:

"@chort0 http://seclists.org/oss-sec/2013/q1/174 … I didn't know about
that claim -- I guess it explains why such great effort was made to
not call it a vuln"

I wasn't aware of this claim by haproxy and to be honest I don't care.
I assigned something like 1,600 CVE's last year, trust me, I'm not
afraid to annoy people by assigning CVEs that might embarrass them.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRAdeSAAoJEBYNRVNeJnmTzUAQAJ8zJnXdcC65GcXgKw8niVag
g394V6cIYIxXQ299eJLENKXPM64sqL/WEt8JrdIOQwaU9xntxVp9Z7JT5wKmgbLa
HICqLd9pHKfrlZngbId/61uc3P+u6BtIq3fUZfBNMePfUm+Rk18DHNerqZSXZZ9t
epFz2E/T5RCN+SOzH1ov6WGqB02+aY2JuoWDICYdFX8iDiMA0ZJI4pPCMhX9maNE
dLwiP1RtmHP2WbBmFZKC9faGgIsOFAoMLdJ2d0qMzQV1QgUNNkUYsFQe+PoeJNjY
NGfDoFbezZurJvfbfRYmva0Ze/JVfUsTEwSm7OwnTpNvKNZv7N+G8aAvQap5taVH
8JreDNp0YC4ByuNzRzKtR2iuKxu2ILSYhr1xtzt8uQhERmZvMol/Z6jvBhAJgRZK
J9WP0xXE8476XDCvo7KQafTEBESApEBkcMXL3DDunyQPNbquzG5lk+RV71I1HsJZ
TJg+CLgOEllVD2+CXjF6yuvRlnZRLiBCa0H81YuvmzgKFX4uMYJxBTjI9TnklnNN
MNZQ9o2sQaHj36mNl3/kJftBtveRCDZSmVXhwls8eBp0ysN4mkdycRyTMOITSywu
OJIaKcFe7NtflqWU9sZFgchMsMO0WUlVTOK1Jm896/aJs+nNM9Z4/STceFGvsZmq
W40gi3vx3MUWF0Rbp1i7
=77BF
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault