Bug 915412 (CVE-2013-0345) - CVE-2013-0345 varnish: world-readable log files
Summary: CVE-2013-0345 varnish: world-readable log files
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-0345
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 915413 915414
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-02-25 17:16 UTC by Vincent Danen
Modified: 2019-09-29 13:01 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-05-12 22:26:59 UTC
Embargoed:

Attachments (Terms of Use)

Description Vincent Danen 2013-02-25 17:16:15 UTC 
Agostino Sarubbo reported on the oss-security mailing list [1] that, on Gentoo, /var/log/varnish is world-accessible and the log files inside the directory are world-readable.  This could allow an unprivileged user to read the log files.

Checking on Fedora and EPEL, /var/log/varnish is provided with 0755 permissions.  These should be reduced to 0700 permissions, like /var/log/httpd.

[1] http://www.openwall.com/lists/oss-security/2013/02/22/14
Comment 1 Vincent Danen 2013-02-25 17:18:20 UTC 
Created varnish tracking bugs for this issue

Affects: fedora-all [bug 915413]
Affects: epel-all [bug 915414]
Comment 2 Ingvar Hagelund 2013-11-14 13:43:05 UTC 
Quoting from #fedora-security on IRC, 2013-11-14

14:29 < ingvarha> Easy "fix" is just to chmod 700 the log directory in 
                  question, like for instance apache httpd does
14:30 < ingvarha> Possible problem is of course if users have log processing 
                  tools that uses non-root access to these files
14:30 < ingvarha> Is it OK to just change this in the stable EPEL branches?
14:30 < bress> I wouldn't change this in the stable branch.
14:31 < bress> I'd change it in the next major rev version (f20 or f21, epel7). 
               It's not *that* serious to warrant screwing up a ton of 
               infrastructure.
14:31 < ingvarha> well
14:31 < ingvarha> the ticket is on epel too
14:31 < ingvarha> s/ticket/bug/
14:33 < bress> Right. It's a good hardening measure, but as you said, people 
               are currently expecting certain permissions.
14:34 < ingvarha> Can I quote you on this in the bug? :-)
14:34 < bress> Certainly.
14:36 < ingvarha> So I should just close this as WONTFIX, then?
14:39 < bress> For the older versions. Do fix it in git for the new stuff I'd 
               say.
14:39 < bress> I mean, we should have better log permissions, it's just the 
               pain of fixing this outweights the pain of fixing it ;)
14:39 < bress> It's a simple code fix, but going to be horrible for admins.

(bress is this guy: https://fedoraproject.org/wiki/JoshBressers )
Comment 3 Vincent Danen 2013-11-14 22:18:15 UTC 
Yeah, we know who Josh is.  I'm sort of assuming that this could be fixed for Fedora 20, which would hopefully be a baseline for anything in EPEL7, so it would inherit the fix?

This probably could have been fixed in Fedora 19 as well, given the age of this bug...
Comment 4 Vincent Danen 2014-05-12 22:26:59 UTC 
This has been fixed in varnish-3.0.5-1 in Fedora 18, 19 and 20.
Comment 5 Ingvar Hagelund 2014-08-06 12:17:10 UTC 
Just a small thing: This change gives a non-standard-dir-perm rpmlint error. As the same goes for httpd, I'll leave it like this.

$ rpmlint httpd-2.4.9-1.fc19.x86_64.rpm varnish-3.0.5-1.fc19.x86_64.rpm | grep log
httpd.x86_64: E: non-standard-dir-perm /var/log/httpd 0700L
varnish.x86_64: E: non-standard-dir-perm /var/log/varnish 0700L

Ingvar
Note You need to log in before you can comment on or make changes to this bug.