On Wednesday 18 July 2007 15:17, Bill Moran wrote: > In response to Kern Sibbald <[EMAIL PROTECTED]>: > > > Hello Secunia Research, > > > > Unfortunately, I don't know who you guys are, so I am not very inclined to > > provide the detailed information you are requesting below (sorry for top > > posting). > > FYI, as Bacula's growing pains continue, this is likely to be one of them. > > Despite the rather uninformative email from Secunia that doesn't include any > introduction of the company whatsoever, these guys are a big deal in the > corporate world. As a security-conscious company, we get a weekly summary > from them, and have a guy who goes through all the issues and evaluates > whether or not they affect us. > > The disadvantage of folks like Secunia, is that they usually publish > everything, whether it be trivial and non-exploitable or a critical remote- > execution flaw. Thus the value they provide by tracking and reporting all > these flaws is somewhat diluted by the fact that it results in information > overload. > > Regardless, our upper management reviews these on a regular basis, and > I frequently get questions like, "We're using that software, are we in any > danger". I expect that other security-conscious companies have similar > things happen. > > Bacula's acceptance into the corporate world can be helped or hindered by > how the project responds to these kinds of things. FreeBSD has a pretty > good model for tracking potential security issues: > http://www.freebsd.org/security/ > > My recommendation would be to make a "security" section on the Bacula web > site, and be prepared to post public statements on any potential > vulnerabilities so that Secunia can link directly to them. > > If Secunia decides to publish this (which I expect they will) it will quickly > get "picked up" by folks such as CERT, and anyone else who considers it their > job to track security issues. It behooves the Bacula project to have an > official statement prepared. I don't think I have to mention that backup > software is a potential critical failure point from a security perspective.
A security page is something that I expect that we will do in Bacula Systems. Thanks for the "intro" to Secunia. Fortunately, in this case, given my response, they have decided not to list it as a security issue (I don't think it is a security issue, or I would have already let everyone know). Regards, Kern > > > > > However, for you and for the Bacula users, who I have copied, I will repeat my > > observations on this problem. > > > > - Recently I found what appears to be a possible buffer overrun (heap > > corruption) in one of the Bacula SQL drivers. > > > > - This problem has never surfaced in any production version. > > > > - It occurred only in 2.1.x test versions with the new batch insert code > > turned on, and resulted in jobs failing or segmentation faults. This is a > > key point. > > > > - I never dug into the fine details of what was going wrong. > > > > - I corrected *several* places where there were *potential* problems, and the > > failures went away. > > > > - The problem involved a possible heap corruption and not a stack overflow, > > which means to me that it would be very hard to exploit this in any > > meaningful way. > > > > - The problem seemed to be timing dependent (CPU speed or something) and only > > occurred on some of my test machines, and on those machines where it > > occurred, it only occurred in approximately 1 of every 20 executions of the > > test that was failing. > > > > - There is a mechanism by which a user (sysadmin) having unrestricted access > > to the bconsole might have been able to trigger this, but I have never tried > > it, and all failures were detected during normal jobs running in regression > > testing. > > > > - Normally Bacula will detect these kinds of problems shortly after they occur > > and abort, minimizing any possiblity of serously corrupted data or exploit. > > Bacula periodically checks the full heap for any sort of corruption or > > overrun. > > > > - When this bug triggers, it is accompanied by a hard failure of some sort. > > I.e. when it triggers, you know it hit you. > > > > - I did not issue a patch to version 2.0.3 because we have no evidence that > > this problem occurred in production use, and because the release of the next > > version is imminent. > > > > > > Though I see no urgency, my recommendation is for all users to upgrade as soon > > as possible either when the production 2.2.0 version is released, or possibly > > to the 2.1.26 beta version which is very stable or to 2.1.28 beta which will > > be released in the next couple of days. > > > > Best regards, > > > > Kern > > > > > > On Tuesday 17 July 2007 15:44, Secunia Research wrote: > > > Hello, > > > > > > since you say that this potentially affects older (also 1.x?) production > > > releases, we would do some more research on this issue. In case we find > > > this to be an exploitable vulnerability we, of course, won't provide > > > further details in our advisory, but it will include a note that the > > > vulnerability is fixed in 2.1.12-beta (or the next stable version, if > > > released). Due to the fact that we noticed the issue in your changelog, > > > we have to consider this to be at least semi-public. > > > > > > Can you therefore provide us with more information on the patches, e.g. > > > which files have been patched, references to lines etc. > > > > > > > > > Thanks again, > > > Sven > > > > > > > > > On Fri, 2007-07-13 at 14:42 +0200, Kern Sibbald wrote: > > > > In taking a more careful look at this, I think under certain > > > > conditions it is > > > > possible for the user to submit an SQL statement that could trigger > > > > this > > > > overrun. How he would use it to gain security access, I cannot > > > > say. > > > > > > > > I'm a bit busy right at the moment because we are getting very close > > > > to a > > > > major release, so unless you can show me this is critical, I would > > > > rather not > > > > spend too much more time on it. > > > > > > > > I document everything of importance that I find wrong with Bacula. > > > > However, I > > > > consider it would be unwise to provide any public documentation on how > > > > this > > > > might be exploited, if that is in fact possible, as it would only > > > > encourage > > > > hackers to do damage. What IMO would be much more appropriate is to > > > > advise > > > > users to upgrade to avoid any potential problems ... > > > -- > > > > > > Sven Krewitt > > > Security Specialist > > > > > > Secunia > > > Hammerensgade 4, 2. floor > > > DK-1267 Copenhagen K > > > Denmark > > > > > > http://secunia.com/ > > > > > > Phone +45 7020 5144 > > > Fax +45 7020 5145 > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Bacula-users mailing list > > Bacula-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/bacula-users > > > -- > Bill Moran > http://www.potentialtech.com > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Bacula-devel mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/bacula-devel > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users