Bug#606563: mumble-server: affected by privilege escalation vulnerability in logrotate

Patrick Matthäi pmatthaei at debian.org
Fri Dec 10 08:16:20 UTC 2010

Am 10.12.2010 03:10, schrieb Florian Zumbiehl:
> Package: mumble-server
> Version: 1.1.8-2
> Severity: grave
> Justification: privilege escalation vulnerability
> Tags: security
> There was a privilege escalation vulnerability in logrotate that I reported
> about four years ago and which finally got fixed in testing rouhgly one
> year ago (see bug #388608). In lenny this vulnerability still exists and
> logrotate's maintainer doesn't seem to be interested in fixing it,
> given that nothing of substance has happened since when I last notified him
> of the problem about two weeks ago.

 From your link it does not look very critical (no proof etc)
Also you could contact the release team, if you think, that the 
maintainer does not do the necessary steps.

> As a proof of concept, I did successfully use it to elevate my privileges
> from the postgres user to root. As it affects packages where the log
> directory is writable for the package's system user, I based this mass
> filing on a rough analysis of maintainer scripts, avoiding the effort
> of actually installing and testing each individual package.
> These lines from this package's maintainer scripts suggest that it likely
> is affected by the vulnerability:
> ---------------------------------------------------------------------------
> chmod 0750 /var/log/mumble-server
> chown mumble-server:adm /var/log/mumble-server
> ---------------------------------------------------------------------------

As minimal as needed..

> Please note that the analysis this mass filing is based on also is
> roughly a year old, and anyhow I don't recall which debian suite I based
> it on at that time--as such, this report may be against the wrong version
> and otherwise outdated in some details. Given how much effort I have
> already needlessly put into this, I hope you have some understanding
> for me not polishing this bug report.
> Primarily I am filing this bug in order to allow the maintainers of
> packages using logrotate to work around logrotate if they deem that
> necessary.

 From your thread on -qa I am reading, that we all (every maintainers 
who is "affected" by this) should apply a patch to the stable and 
squeeze release? And this patch would add, that log messages may get lost?
a) that is a no-go
b) logrotate has to be fixed then, not ~ 53 packages workarounded

So I intent to close the three RC bugs I get from you about it, but I 
think it is a good idea to ask debian-release.

> http://lists.debian.org/debian-qa/2010/11/msg00024.html

More information about the Pkg-voip-maintainers mailing list