Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 458888 (CVE-2013-0345)

Summary: www-servers/varnish: world-readable logdir (CVE-2013-0345)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: blueness, idl0r
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2013/02/22/14
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-02-23 18:58:01 UTC 
As reported by me on oss-security at $URL, varnish, at least on gentoo, has a world-redable 
log/logdir:

# ls -la /var/log/varnish/    
total 8                                                                                                                                                                             
drwxr-xr-x 2 root root 4096 Feb 22 13:48 .                                                                                                                                          
drwxr-xr-x 8 root root 4096 Feb 22 13:50 ..                                                                                                                                         
-rw-r--r-- 1 root root    0 Feb 22 13:48 access.log
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2014-05-22 20:25:32 UTC 
This should be fixed in varnish-4.0.0-r1.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-06-05 11:31:37 UTC 
Is the vulnerability present in 3.0.X? Or is it only 4.0.X?
If it is 3.0.X we will need to stabilize.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-06-26 20:15:34 UTC 
CVE-2013-0345 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0345):
  varnish 3.0.3 uses world-readable permissions for the /var/log/varnish/
  directory and the log files in the directory, which allows local users to
  obtain sensitive information by reading the files.  NOTE: some of these
  details are obtained from third party information.
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-26 20:19:20 UTC 
It is already fixed, it seems (in our tree too). Added to existing glsa draft.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-29 11:24:37 UTC 
Please re-verify that this is indeed fixed, I'm seeing -rw-r--r-- 1 root root 5 Jun 29 13:17 access.log still doing a fresh install of www-servers/varnish-3.0.5-r3 in a VM.
Comment 6 Christian Ruppert (idl0r) gentoo-dev 2014-07-06 11:46:22 UTC 
(In reply to Christian Ruppert (idl0r) from comment #1)
> This should be fixed in varnish-4.0.0-r1.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-12-15 12:25:43 UTC 
This issue was resolved and addressed in
 GLSA 201412-30 at http://security.gentoo.org/glsa/glsa-201412-30.xml
by GLSA coordinator Mikle Kolyada (Zlogene).