In response to Kern Sibbald <[EMAIL PROTECTED]>: > Hello Secunia Research, > > Unfortunately, I don't know who you guys are, so I am not very inclined to > provide the detailed information you are requesting below (sorry for top > posting).
FYI, as Bacula's growing pains continue, this is likely to be one of them. Despite the rather uninformative email from Secunia that doesn't include any introduction of the company whatsoever, these guys are a big deal in the corporate world. As a security-conscious company, we get a weekly summary from them, and have a guy who goes through all the issues and evaluates whether or not they affect us. The disadvantage of folks like Secunia, is that they usually publish everything, whether it be trivial and non-exploitable or a critical remote- execution flaw. Thus the value they provide by tracking and reporting all these flaws is somewhat diluted by the fact that it results in information overload. Regardless, our upper management reviews these on a regular basis, and I frequently get questions like, "We're using that software, are we in any danger". I expect that other security-conscious companies have similar things happen. Bacula's acceptance into the corporate world can be helped or hindered by how the project responds to these kinds of things. FreeBSD has a pretty good model for tracking potential security issues: http://www.freebsd.org/security/ My recommendation would be to make a "security" section on the Bacula web site, and be prepared to post public statements on any potential vulnerabilities so that Secunia can link directly to them. If Secunia decides to publish this (which I expect they will) it will quickly get "picked up" by folks such as CERT, and anyone else who considers it their job to track security issues. It behooves the Bacula project to have an official statement prepared. I don't think I have to mention that backup software is a potential critical failure point from a security perspective. > > However, for you and for the Bacula users, who I have copied, I will repeat > my > observations on this problem. > > - Recently I found what appears to be a possible buffer overrun (heap > corruption) in one of the Bacula SQL drivers. > > - This problem has never surfaced in any production version. > > - It occurred only in 2.1.x test versions with the new batch insert code > turned on, and resulted in jobs failing or segmentation faults. This is a > key point. > > - I never dug into the fine details of what was going wrong. > > - I corrected *several* places where there were *potential* problems, and the > failures went away. > > - The problem involved a possible heap corruption and not a stack overflow, > which means to me that it would be very hard to exploit this in any > meaningful way. > > - The problem seemed to be timing dependent (CPU speed or something) and only > occurred on some of my test machines, and on those machines where it > occurred, it only occurred in approximately 1 of every 20 executions of the > test that was failing. > > - There is a mechanism by which a user (sysadmin) having unrestricted access > to the bconsole might have been able to trigger this, but I have never tried > it, and all failures were detected during normal jobs running in regression > testing. > > - Normally Bacula will detect these kinds of problems shortly after they > occur > and abort, minimizing any possiblity of serously corrupted data or exploit. > Bacula periodically checks the full heap for any sort of corruption or > overrun. > > - When this bug triggers, it is accompanied by a hard failure of some sort. > I.e. when it triggers, you know it hit you. > > - I did not issue a patch to version 2.0.3 because we have no evidence that > this problem occurred in production use, and because the release of the next > version is imminent. > > > Though I see no urgency, my recommendation is for all users to upgrade as > soon > as possible either when the production 2.2.0 version is released, or possibly > to the 2.1.26 beta version which is very stable or to 2.1.28 beta which will > be released in the next couple of days. > > Best regards, > > Kern > > > On Tuesday 17 July 2007 15:44, Secunia Research wrote: > > Hello, > > > > since you say that this potentially affects older (also 1.x?) production > > releases, we would do some more research on this issue. In case we find > > this to be an exploitable vulnerability we, of course, won't provide > > further details in our advisory, but it will include a note that the > > vulnerability is fixed in 2.1.12-beta (or the next stable version, if > > released). Due to the fact that we noticed the issue in your changelog, > > we have to consider this to be at least semi-public. > > > > Can you therefore provide us with more information on the patches, e.g. > > which files have been patched, references to lines etc. > > > > > > Thanks again, > > Sven > > > > > > On Fri, 2007-07-13 at 14:42 +0200, Kern Sibbald wrote: > > > In taking a more careful look at this, I think under certain > > > conditions it is > > > possible for the user to submit an SQL statement that could trigger > > > this > > > overrun. How he would use it to gain security access, I cannot > > > say. > > > > > > I'm a bit busy right at the moment because we are getting very close > > > to a > > > major release, so unless you can show me this is critical, I would > > > rather not > > > spend too much more time on it. > > > > > > I document everything of importance that I find wrong with Bacula. > > > However, I > > > consider it would be unwise to provide any public documentation on how > > > this > > > might be exploited, if that is in fact possible, as it would only > > > encourage > > > hackers to do damage. What IMO would be much more appropriate is to > > > advise > > > users to upgrade to avoid any potential problems ... > > -- > > > > Sven Krewitt > > Security Specialist > > > > Secunia > > Hammerensgade 4, 2. floor > > DK-1267 Copenhagen K > > Denmark > > > > http://secunia.com/ > > > > Phone +45 7020 5144 > > Fax +45 7020 5145 > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Bacula-users mailing list > Bacula-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bacula-users -- Bill Moran http://www.potentialtech.com ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
