Debian Bug report logs -
#1011644
logrotate: CVE-2022-1348: potential DoS from unprivileged users via the state file
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 25 May 2022 19:51:01 UTC
Severity: important
Tags: security, upstream
Found in versions logrotate/3.19.0-2, logrotate/3.18.0-2, logrotate/3.17.0-1
Fixed in version logrotate/3.20.1-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Christian Göttsche <cgzones@googlemail.com>
:
Bug#1011644
; Package src:logrotate
.
(Wed, 25 May 2022 19:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Christian Göttsche <cgzones@googlemail.com>
.
(Wed, 25 May 2022 19:51:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: logrotate
Version: 3.17.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 3.18.0-2
Control: found -1 3.19.0-2
Hi,
The following vulnerability was published for logrotate.
CVE-2022-1348[0]:
| A vulnerability was found in logrotate in how the state file is
| created. The state file is used to prevent parallel executions of
| multiple instances of logrotate by acquiring and releasing a file
| lock. When the state file does not exist, it is created with world-
| readable permission, allowing an unprivileged user to lock the state
| file, stopping any rotation. This flaw affects logrotate versions
| before 3.20.0.
Note that the issue is present as well in Debian even though we have
the state file from almost the beginning in /var/lib/logrotate/state,
as the /var/lib/logrotate directory has 0755 permissions allowing a
user to aquire the lock.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-1348
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1348
[1] https://www.openwall.com/lists/oss-security/2022/05/25/3
[2] https://github.com/logrotate/logrotate/commit/1f76a381e2caa0603ae3dbc51ed0f1aa0d6658b9 (3.20.0)
[3] https://github.com/logrotate/logrotate/commit/addbd293242b0b78aa54f054e6c1d249451f137d (3.20.1)
Regards,
Salvatore
Marked as found in versions logrotate/3.18.0-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Wed, 25 May 2022 19:51:03 GMT) (full text, mbox, link).
Marked as found in versions logrotate/3.19.0-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Wed, 25 May 2022 19:51:03 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>
:
You have taken responsibility.
(Thu, 26 May 2022 06:57:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Thu, 26 May 2022 06:57:03 GMT) (full text, mbox, link).
Message #14 received at 1011644-done@bugs.debian.org (full text, mbox, reply):
Source: logrotate
Source-Version: 3.20.1-1
On Wed, May 25, 2022 at 11:19:52PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Thu, 26 May 2022 00:15:57 +0200
> Source: logrotate
> Architecture: source
> Version: 3.20.1-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Christian Göttsche <cgzones@googlemail.com>
> Changed-By: Christian Göttsche <cgzones@googlemail.com>
> Changes:
> logrotate (3.20.1-1) unstable; urgency=medium
> .
> [ Jeremy Bicha ]
> * Use group adm on Ubuntu for rotating logs
> * debian/ubuntu-logrotate.conf: Update comment to /var/log/
> .
> [ Christian Göttsche ]
> * New upstream version 3.20.1
> - fix potential DoS from unprivileged users via the state file
> (CVE-2022-1348)
> * d/patches: drop upstream applied one
> * d/control: bump to std version 4.6.1 (no further changes)
> * d/control: reduce mailx from Recommends to Suggests
> Checksums-Sha1:
> aad25b8efbf90b6e728e44c8ed9044371d53c53a 2230 logrotate_3.20.1-1.dsc
> 8290537d1009b2fc00a3dec81f6107f81e152f86 166712 logrotate_3.20.1.orig.tar.xz
> 972f4dd5f8e54108b378b4225601811b88a3903d 833 logrotate_3.20.1.orig.tar.xz.asc
> dd7ee7961372f38ea0b9b7100fc5a1e9d20089be 19540 logrotate_3.20.1-1.debian.tar.xz
> 615879a1f9140d9c895cc2a399c039aefaf79b46 5831 logrotate_3.20.1-1_source.buildinfo
> Checksums-Sha256:
> cc2d09c2f535ca1feb483c533d7aee59eb33a1b13def8190724f72818116147e 2230 logrotate_3.20.1-1.dsc
> 742f6d6e18eceffa49a4bacd933686d3e42931cfccfb694d7f6369b704e5d094 166712 logrotate_3.20.1.orig.tar.xz
> c63c03c2db626209a1be2653d34ecd1eb6b3aee8da6dc17ab60ae32ef64bc8f2 833 logrotate_3.20.1.orig.tar.xz.asc
> 3e311c3dd1305f85040cfd58b90391ff985071d9b4835ad3badc5f865493dcd2 19540 logrotate_3.20.1-1.debian.tar.xz
> e092e80dbfd74fa4d140607e2e53218afaead40965b4b3cf90f4b4b23ee2a8fd 5831 logrotate_3.20.1-1_source.buildinfo
> Files:
> a38bcb8c79c375f6b79ddcd54618bad6 2230 admin important logrotate_3.20.1-1.dsc
> 24704642e1e6c7889edbe2b639636caf 166712 admin important logrotate_3.20.1.orig.tar.xz
> 901e32c72704d5f6a7b3fc6e3eadbe48 833 admin important logrotate_3.20.1.orig.tar.xz.asc
> a4ab4b37eee318fb18047c31fc66effa 19540 admin important logrotate_3.20.1-1.debian.tar.xz
> ebe8020e901981517491a6e9ffc5c3c4 5831 admin important logrotate_3.20.1-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAmKOtgkACgkQweDZLphv
> fH6GEA//e/NPO6L5yfYbpMZ0SUel05xfVJ80Yvrb9kKdcZdoreViyIPjBDKRLB6d
> EA6r5m6anu16qWVsAEtFsjyqQ485h7dQD3XcKSrtMwmx5txzPz9AjORAkPVn7KmR
> pAGeRCBkIvTtUnXXMmaQ2eyvibdtNnXUkyoMPX6S8BTL47zaKK8FHj+b4VZxArax
> qdXmF8E4+Mw+WPyMhOGArh+FCQmdcmYAJ2gOAcc1f2rDR9vE9jTl2QchRqfVWkTw
> 8Cvq8Zsdh4hskua3Lzs0UhHTo8Rqa5c2elsJ4D4IPgvzNv1sN6kjfk+Iq25lw+FX
> g7lrhmCkLI0ec9LtY3CQitklmlSRiZKjfVJE1Qtk6nHQ9VXPHqjm4DvJdSohrzAo
> QKFEp4/oWS3oj3dGVEycGO86rGCq37+qfL5qlTa7W5+IUVSV+5Ri6dhvWrGwG6Gd
> uW7V8XdlKf3xEiDky35sgI70p/zTum0lzAxJrSqa0AfFFBlVATEdmZQReN5LvwR0
> q/dHQI+fveuxN+xJqEdkSjT3S/bNUjb6tydhh5lRw8hiYl+tOH3SOgRB0m6E0uyK
> P5NGYd+be4LCSiu/6wtfh5EOIgKjEKRX86PMqLFXW8DzF/KwLhmCbbQJBmmDAR1m
> +bZ4ydLkvpe84MsgYzyJ5kVjVYsBcONHhY4QbF9Xy3ETSvkHJkg=
> =qcoO
> -----END PGP SIGNATURE-----
>
Fixed with the new upstream verison upload.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu May 26 13:12:29 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.