Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 458888 (CVE-2013-0345)

Summary: www-servers/varnish: world-readable logdir (CVE-2013-0345)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: blueness, idl0r
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-02-23 18:58:01 UTC
As reported by me on oss-security at $URL, varnish, at least on gentoo, has a world-redable 

# ls -la /var/log/varnish/    
total 8                                                                                                                                                                             
drwxr-xr-x 2 root root 4096 Feb 22 13:48 .                                                                                                                                          
drwxr-xr-x 8 root root 4096 Feb 22 13:50 ..                                                                                                                                         
-rw-r--r-- 1 root root    0 Feb 22 13:48 access.log
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2014-05-22 20:25:32 UTC
This should be fixed in varnish-4.0.0-r1.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-06-05 11:31:37 UTC
Is the vulnerability present in 3.0.X? Or is it only 4.0.X?
If it is 3.0.X we will need to stabilize.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-06-26 20:15:34 UTC
CVE-2013-0345 (
  varnish 3.0.3 uses world-readable permissions for the /var/log/varnish/
  directory and the log files in the directory, which allows local users to
  obtain sensitive information by reading the files.  NOTE: some of these
  details are obtained from third party information.
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-26 20:19:20 UTC
It is already fixed, it seems (in our tree too). Added to existing glsa draft.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-29 11:24:37 UTC
Please re-verify that this is indeed fixed, I'm seeing -rw-r--r-- 1 root root 5 Jun 29 13:17 access.log still doing a fresh install of www-servers/varnish-3.0.5-r3 in a VM.
Comment 6 Christian Ruppert (idl0r) gentoo-dev 2014-07-06 11:46:22 UTC
(In reply to Christian Ruppert (idl0r) from comment #1)
> This should be fixed in varnish-4.0.0-r1.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-12-15 12:25:43 UTC
This issue was resolved and addressed in
 GLSA 201412-30 at
by GLSA coordinator Mikle Kolyada (Zlogene).