Bug 915412 (CVE-2013-0345)

Summary: CVE-2013-0345 varnish: world-readable log files
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ingvar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-12 22:26:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 915413, 915414    
Bug Blocks:    

Description Vincent Danen 2013-02-25 17:16:15 UTC 
Agostino Sarubbo reported on the oss-security mailing list [1] that, on Gentoo, /var/log/varnish is world-accessible and the log files inside the directory are world-readable.  This could allow an unprivileged user to read the log files.

Checking on Fedora and EPEL, /var/log/varnish is provided with 0755 permissions.  These should be reduced to 0700 permissions, like /var/log/httpd.

[1] http://www.openwall.com/lists/oss-security/2013/02/22/14
Comment 1 Vincent Danen 2013-02-25 17:18:20 UTC 
Created varnish tracking bugs for this issue

Affects: fedora-all [bug 915413]
Affects: epel-all [bug 915414]
Comment 2 Ingvar Hagelund 2013-11-14 13:43:05 UTC 
Quoting from #fedora-security on IRC, 2013-11-14

14:29 < ingvarha> Easy "fix" is just to chmod 700 the log directory in 
                  question, like for instance apache httpd does
14:30 < ingvarha> Possible problem is of course if users have log processing 
                  tools that uses non-root access to these files
14:30 < ingvarha> Is it OK to just change this in the stable EPEL branches?
14:30 < bress> I wouldn't change this in the stable branch.
14:31 < bress> I'd change it in the next major rev version (f20 or f21, epel7). 
               It's not *that* serious to warrant screwing up a ton of 
               infrastructure.
14:31 < ingvarha> well
14:31 < ingvarha> the ticket is on epel too
14:31 < ingvarha> s/ticket/bug/
14:33 < bress> Right. It's a good hardening measure, but as you said, people 
               are currently expecting certain permissions.
14:34 < ingvarha> Can I quote you on this in the bug? :-)
14:34 < bress> Certainly.
14:36 < ingvarha> So I should just close this as WONTFIX, then?
14:39 < bress> For the older versions. Do fix it in git for the new stuff I'd 
               say.
14:39 < bress> I mean, we should have better log permissions, it's just the 
               pain of fixing this outweights the pain of fixing it ;)
14:39 < bress> It's a simple code fix, but going to be horrible for admins.

(bress is this guy: https://fedoraproject.org/wiki/JoshBressers )
Comment 3 Vincent Danen 2013-11-14 22:18:15 UTC 
Yeah, we know who Josh is.  I'm sort of assuming that this could be fixed for Fedora 20, which would hopefully be a baseline for anything in EPEL7, so it would inherit the fix?

This probably could have been fixed in Fedora 19 as well, given the age of this bug...
Comment 4 Vincent Danen 2014-05-12 22:26:59 UTC 
This has been fixed in varnish-3.0.5-1 in Fedora 18, 19 and 20.
Comment 5 Ingvar Hagelund 2014-08-06 12:17:10 UTC 
Just a small thing: This change gives a non-standard-dir-perm rpmlint error. As the same goes for httpd, I'll leave it like this.

$ rpmlint httpd-2.4.9-1.fc19.x86_64.rpm varnish-3.0.5-1.fc19.x86_64.rpm | grep log
httpd.x86_64: E: non-standard-dir-perm /var/log/httpd 0700L
varnish.x86_64: E: non-standard-dir-perm /var/log/varnish 0700L

Ingvar