Bug 915412 - (CVE-2013-0345) CVE-2013-0345 varnish: world-readable log files
CVE-2013-0345 varnish: world-readable log files
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 915413 915414
  Show dependency treegraph
Reported: 2013-02-25 12:16 EST by Vincent Danen
Modified: 2014-08-06 08:17 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-05-12 18:26:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-02-25 12:16:15 EST
Agostino Sarubbo reported on the oss-security mailing list [1] that, on Gentoo, /var/log/varnish is world-accessible and the log files inside the directory are world-readable.  This could allow an unprivileged user to read the log files.

Checking on Fedora and EPEL, /var/log/varnish is provided with 0755 permissions.  These should be reduced to 0700 permissions, like /var/log/httpd.

[1] http://www.openwall.com/lists/oss-security/2013/02/22/14
Comment 1 Vincent Danen 2013-02-25 12:18:20 EST
Created varnish tracking bugs for this issue

Affects: fedora-all [bug 915413]
Affects: epel-all [bug 915414]
Comment 2 Ingvar Hagelund 2013-11-14 08:43:05 EST
Quoting from #fedora-security on IRC, 2013-11-14

14:29 < ingvarha> Easy "fix" is just to chmod 700 the log directory in 
                  question, like for instance apache httpd does
14:30 < ingvarha> Possible problem is of course if users have log processing 
                  tools that uses non-root access to these files
14:30 < ingvarha> Is it OK to just change this in the stable EPEL branches?
14:30 < bress> I wouldn't change this in the stable branch.
14:31 < bress> I'd change it in the next major rev version (f20 or f21, epel7). 
               It's not *that* serious to warrant screwing up a ton of 
14:31 < ingvarha> well
14:31 < ingvarha> the ticket is on epel too
14:31 < ingvarha> s/ticket/bug/
14:33 < bress> Right. It's a good hardening measure, but as you said, people 
               are currently expecting certain permissions.
14:34 < ingvarha> Can I quote you on this in the bug? :-)
14:34 < bress> Certainly.
14:36 < ingvarha> So I should just close this as WONTFIX, then?
14:39 < bress> For the older versions. Do fix it in git for the new stuff I'd 
14:39 < bress> I mean, we should have better log permissions, it's just the 
               pain of fixing this outweights the pain of fixing it ;)
14:39 < bress> It's a simple code fix, but going to be horrible for admins.

(bress is this guy: https://fedoraproject.org/wiki/JoshBressers )
Comment 3 Vincent Danen 2013-11-14 17:18:15 EST
Yeah, we know who Josh is.  I'm sort of assuming that this could be fixed for Fedora 20, which would hopefully be a baseline for anything in EPEL7, so it would inherit the fix?

This probably could have been fixed in Fedora 19 as well, given the age of this bug...
Comment 4 Vincent Danen 2014-05-12 18:26:59 EDT
This has been fixed in varnish-3.0.5-1 in Fedora 18, 19 and 20.
Comment 5 Ingvar Hagelund 2014-08-06 08:17:10 EDT
Just a small thing: This change gives a non-standard-dir-perm rpmlint error. As the same goes for httpd, I'll leave it like this.

$ rpmlint httpd-2.4.9-1.fc19.x86_64.rpm varnish-3.0.5-1.fc19.x86_64.rpm | grep log
httpd.x86_64: E: non-standard-dir-perm /var/log/httpd 0700L
varnish.x86_64: E: non-standard-dir-perm /var/log/varnish 0700L


Note You need to log in before you can comment on or make changes to this bug.