[gentoo-project] gentoo security and packages.gentoo.org

[gentoo-project] gentoo security and packages.gentoo.org

[Arturo Garcia]

Hi all,

  I have been after Tavis from gentoo-security (taviso@gentoo.org) because he 
needs to check packages.gentoo.org.  After he checks it, packages.gentoo.org 
can come back to life (given that he gives the thumbs up).

  The thing is that I haven't been able to contact him, nor anyone from 
gentoo-security for over a week (I have written to security@gentoo.org and 
the M-L).  We are in a deadlock situation at the moment because infra has 
requested them to check the site (they have provided taviso with details and 
a live setup), and unless it is checked it won't be put live.

  If security@gentoo.org doesn't have any devs available, or if it is not 
happenning any soon, I think we need to take another course of action, and I 
am requesting either:

- security@gentoo.org comes back to us on this issue or;
- Someone  else (or another herd) takes a step forward and gets involved so we 
can bring the site back.

  The bug number is http://bugs.gentoo.org/show_bug.cgi?id=187971

  Thanks a lot,

  Arturo.

-- 
gentoo-project@gentoo.org mailing list

[gentoo-project] Re: gentoo security and packages.gentoo.org

[Steve Long]

Arturo Garcia wrote:
>   The thing is that I haven't been able to contact him, nor anyone from
> gentoo-security for over a week (I have written to security@gentoo.org and
> the M-L).  We are in a deadlock situation at the moment because infra has
> requested them to check the site (they have provided taviso with details
> and a live setup), and unless it is checked it won't be put live.
>
According to: http://www.gentoo.org/proj/en/devrel/roll-call/devaway.xml
taviso has "sporadic internet access for a while." As such you're unlikely
to find him on IRC, and his response to mailing-lists and the like is
probably not going to be the best. Given that he's probably starting
college or University as well, I doubt that he has much time to spare.

>From the bug:
> My first impression: absolutely necessary to rework the whole service.
> There are INSERT statements which do not refer to column names but to the
> sequence columns were created (INSERT INTO table Values(...)). The CREATE
> TABLE scripts miss columns (is_masked and prevarch) and primary keys as
> well as joins are (based on) VARCHARs. I'll write a sort of report and 
> host it somewhere on the mirror (including patch impact analysis) so maybe
> the code maintainer has a point to start from.
>
This is now all transparent public knowledge. As such no security team worth
their salt are going to leave these holes open. Remember that all the code
mentioned above has been freely available for several years.

If you have the comprehensive report mentioned, please post it to the bug. A
patch to implement the fixes you found, would make the _audit_ process even
quicker.


-- 
gentoo-project@gentoo.org mailing list

Re: [gentoo-project] Re: gentoo security and packages.gentoo.org

[Arturo Garcia]

On Monday 24 Sep 2007, Steve Long wrote:
> Arturo Garcia wrote:
> >   The thing is that I haven't been able to contact him, nor anyone from
> > gentoo-security for over a week (I have written to security@gentoo.org
> > and the M-L).  We are in a deadlock situation at the moment because infra
> > has requested them to check the site (they have provided taviso with
> > details and a live setup), and unless it is checked it won't be put live.
>
> According to: http://www.gentoo.org/proj/en/devrel/roll-call/devaway.xml
> taviso has "sporadic internet access for a while." As such you're unlikely
> to find him on IRC, and his response to mailing-lists and the like is
> probably not going to be the best. Given that he's probably starting
> college or University as well, I doubt that he has much time to spare.
That link is new for me...  I will check it in the future.  Thanks a lot.

>
> From the bug:
> > My first impression: absolutely necessary to rework the whole service.
> > There are INSERT statements which do not refer to column names but to the
> > sequence columns were created (INSERT INTO table Values(...)). The CREATE
> > TABLE scripts miss columns (is_masked and prevarch) and primary keys as
> > well as joins are (based on) VARCHARs. I'll write a sort of report and
> > host it somewhere on the mirror (including patch impact analysis) so
> > maybe the code maintainer has a point to start from.
>
> This is now all transparent public knowledge. As such no security team
> worth their salt are going to leave these holes open. Remember that all the
> code mentioned above has been freely available for several years.
This is ridiculous.  We are trying to bring up a service that was brought down 
because a command-injection vulnerability, and that is the bug we are trying 
to close.  The solution to this problem is what has been required to be 
tested.  Please don't deviate with arguments work that has to be done.

If there are other vulnerabilities found, then they can be put into the 
security report and we can take it from there.  Before making this kind of 
comments I would suggest you get into the source code and you will find out 
that those mentioned vulnerabilities (INSERTS, etc...) are in the cron 
scripts that populate the database.  They will not (though this has to be 
tested) be public-facing via apache from the scripts that raised the bug.

> If you have the comprehensive report mentioned, please post it to the bug.
> A patch to implement the fixes you found, would make the _audit_ process
> even quicker.
I didn't make the post you mention.  They were made by Onkobu and it is pretty 
obvious that the post doesn't go hand-by-hand with a full security report.  
Hence the 'My first impression'.

My BEST regards,

Arturo.

And... The site hasn't been tested yet guys... Anyone stepping forward?


-- 
gentoo-project@gentoo.org mailing list

[gentoo-project] Re: Re: gentoo security and packages.gentoo.org

[Steve Long]

Arturo Garcia wrote:
>> This is now all transparent public knowledge. As such no security team
>> worth their salt are going to leave these holes open. Remember that all
>> the code mentioned above has been freely available for several years.
> This is ridiculous.  We are trying to bring up a service that was brought
> down because a command-injection vulnerability, and that is the bug we are
> trying
> to close.  The solution to this problem is what has been required to be
> tested.  Please don't deviate with arguments work that has to be done.
>
No the point, as I see it, is that a security _audit_ of the code is now
being carried out. Not a fix to one bug. That's why it would be great if
the report were submitted. Or do you think it wise to bring the service
back up with known flaws?

I didn't write the lines about the whole service needing reworking either.
I'm just trying to explain why I think the process is being carried out
properly.


-- 
gentoo-project@gentoo.org mailing list

Re: [gentoo-project] gentoo security and packages.gentoo.org

[Arturo Garcia]

On Thursday 27 Sep 2007, Steve Long wrote:
> No the point, as I see it, is that a security _audit_ of the code is now
> being carried out. Not a fix to one bug. 
As I said, fine with me, but *do* it and then close the bug.  Open new ones, 
assign them and link them to the original bug if you wish.  We act on them 
and we close them as well.

> That's why it would be great if the report were submitted. Or do you think
> it wise to bring the service back up with known flaws?
What report?!? Onkobu offered help in auditing any future patches if anybody 
required so. Nothing more. Unfortunately, he got angry (no wonder) and pulled 
out. Maybe he is now running another distro... I haven't been in touch with 
him.

Regarding the flaws, as I said, look at the code and find for yourself.  As 
far as I know, Tavis *has* reviewed the patch and the code.  All what is 
outstanding is for the site to be tested.  If he opens new bugs, then we will 
patch and close them.

> I didn't write the lines about the whole service needing reworking either.
> I'm just trying to explain why I think the process is being carried out
> properly.
?_? again.  I don't understand what are you trying to say?!?  I don't see the 
correlation between this and your (or my) first post. Sorry.

As a summary, the next step now is for security@gentoo.org to their work (as 
Infra has *repeatedly* said and requested).  If someone can poke them to do 
so please, it will be highly appreciated.  If they audit, test, or jump on 
one foot while holding raw eggs on their head I don't care. It's their job. 
Bug please test and come back to us.  Thanks.

A.
-- 
gentoo-project@gentoo.org mailing list

[gentoo-project] Re: gentoo security and packages.gentoo.org

[Steve Long]

Arturo Garcia wrote:

> On Thursday 27 Sep 2007, Steve Long wrote:
>> No the point, as I see it, is that a security _audit_ of the code is now
>> being carried out. Not a fix to one bug.
> As I said, fine with me, but *do* it and then close the bug.  Open new
> ones, assign them and link them to the original bug if you wish.  We act
> on them and we close them as well.
>
Er the point was that the audit *is* being carried out as we speak. How long
it takes depends on 1) how much time taviso has spare and 2) how much real
help he gets with it.

We're getting a bit mixed up in terms of what is tracked as a bug on
bugzilla and the actual initial problem (the command injection.) While the
bug on bugzilla is about the injection problem, I personally wouldn't close
it til the audit has been completed and the service is back on-line.

>> That's why it would be great if the report were submitted. Or do you
>> think it wise to bring the service back up with known flaws?
> What report?!? Onkobu offered help in auditing any future patches if
> anybody required so. Nothing more. Unfortunately, he got angry (no wonder)
> and pulled out. Maybe he is now running another distro... I haven't been
> in touch with him.
>
Well it read more like there were other flaws which he had spotted (in the
bit I quoted at least.) So: /that/ report of all the flaws you or anyone
else can find. If you've found the flaw you should know how to fix it, so
attach a patch.

> Regarding the flaws, as I said, look at the code and find for yourself. 
Er why should I? I'm not a dev, nor am I that bothered. You on the other
hand seem quite concerned about this, yet reluctant to do anything.

> As far as I know, Tavis *has* reviewed the patch and the code.  All what
> is outstanding is for the site to be tested.  If he opens new bugs, then
> we will patch and close them.
>
One patch to one flaw, when you concede that there are others. Fine, if it's
been patched then close it and make a tracker for other flaws: it won't
lead to the service being back quicker, in fact it'll probably take longer
since additional bugs would be filed. To my mind, once he's found another
flaw, it's a lot less time to fix it: why then would it be useful to file a
bug about it?

>> I didn't write the lines about the whole service needing reworking
>> either. I'm just trying to explain why I think the process is being
>> carried out properly.
> ?_? again.  I don't understand what are you trying to say?!?  I don't see
> the correlation between this and your (or my) first post. Sorry.
>
OK. My point is, and was, that an audit covers the whole codebase. IOW he
literally has to scan every single line. This process is being carried out
properly IMO, since to only patch one flaw and put the service back on-line
would be irresponsible at best.

> As a summary, the next step now is for security@gentoo.org to their work
> (as Infra has *repeatedly* said and requested).  If someone can poke them 
> to do so please, it will be highly appreciated.  If they audit, test, or 
> jump on one foot while holding raw eggs on their head I don't care. It's 
> their job.
Er they're not paid for it, so it's not a job in the sense that you imply.
How exactly do you want "them" to be poked? As stated there's only one dev
assigned to it and he's busy starting Uni. While I agree this is
unfortunate, I imagine there simply aren't that many security devs.

> Bug please test and come back to us.  Thanks.
> 
FWIW I totally agree that p.g.o should be back online as a matter of
priority. If you want that done, help with the audit: get a report together
of all the flaws (and fixes) that you can find. If not, stop whinging that
no one else is doing it (and more importantly stop telling me to do it),
when a volunteer has already been assigned. It'll take him as long as it
takes him.
"With Free software you either do, or you wait." Pick one.


-- 
gentoo-project@gentoo.org mailing list