mailing list archives
Re: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 24 Jan 2013 17:53:38 -0700
-----BEGIN PGP SIGNED MESSAGE-----
On 01/23/2013 09:25 AM, Jan Lieskovsky wrote:
just FYI notification that haproxy upstream has recently corrected
 improper dropping of supplementary groups  after setuid /
We have further investigated this issue and have reasons to believe
that by itself this is NOT a security issue (another flaw would
need to be found in haproxy this to be actually possible to use for
For now we are considering this fix to be a preventive measure /
security hardening (but took the time to notify you explicitly
about this as you might still want to backport it into affected
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
Security Response Team
P.S.:  https://bugzilla.redhat.com/show_bug.cgi?id=894626 
So to be clear: haproxy fails to properly drop group privileges. Why
isn't this classified as a security vulnerability?
Well there is no way to exploit this that we're aware of, if you know
a way to exploit this please let us know.
What would make this a security vulnerability? Let's say for example
haproxy had an option to read or write to a file and did this with the
privileges it failed to drop (granting the attacker privilege
escalation) then it would be a security vulnerability.
So again, if you know of a way to exploit this please let us know,
otherwise we will continue to consider this a security hardening issue
and not a security vulnerability.
So as for this tweet:
"@chort0 http://seclists.org/oss-sec/2013/q1/174 … I didn't know about
that claim -- I guess it explains why such great effort was made to
not call it a vuln"
I wasn't aware of this claim by haproxy and to be honest I don't care.
I assigned something like 1,600 CVE's last year, trust me, I'm not
afraid to annoy people by assigning CVEs that might embarrass them.
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
-----END PGP SIGNATURE-----