logrotate: CVE-2022-1348: potential DoS from unprivileged users via the state file

Debian Bug report logs - #1011644
logrotate: CVE-2022-1348: potential DoS from unprivileged users via the state file

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: logrotate: CVE-2022-1348: potential DoS from unprivileged users via the state file

Date: Wed, 25 May 2022 21:50:08 +0200

Source: logrotate
Version: 3.17.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 3.18.0-2
Control: found -1 3.19.0-2

Hi,

The following vulnerability was published for logrotate.

CVE-2022-1348[0]:
| A vulnerability was found in logrotate in how the state file is
| created. The state file is used to prevent parallel executions of
| multiple instances of logrotate by acquiring and releasing a file
| lock. When the state file does not exist, it is created with world-
| readable permission, allowing an unprivileged user to lock the state
| file, stopping any rotation. This flaw affects logrotate versions
| before 3.20.0.

Note that the issue is present as well in Debian even though we have
the state file from almost the beginning in /var/lib/logrotate/state,
as the /var/lib/logrotate directory has 0755 permissions allowing a
user to aquire the lock. 

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-1348
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1348
[1] https://www.openwall.com/lists/oss-security/2022/05/25/3
[2] https://github.com/logrotate/logrotate/commit/1f76a381e2caa0603ae3dbc51ed0f1aa0d6658b9 (3.20.0)
[3] https://github.com/logrotate/logrotate/commit/addbd293242b0b78aa54f054e6c1d249451f137d (3.20.1)


Regards,
Salvatore

Message #14 received at 1011644-done@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 1011644-done@bugs.debian.org

Cc: Christian Göttsche <cgzones@googlemail.com>

Subject: Re: Accepted logrotate 3.20.1-1 (source) into unstable

Date: Thu, 26 May 2022 08:53:47 +0200

Source: logrotate
Source-Version: 3.20.1-1

On Wed, May 25, 2022 at 11:19:52PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Thu, 26 May 2022 00:15:57 +0200
> Source: logrotate
> Architecture: source
> Version: 3.20.1-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Christian Göttsche <cgzones@googlemail.com>
> Changed-By: Christian Göttsche <cgzones@googlemail.com>
> Changes:
>  logrotate (3.20.1-1) unstable; urgency=medium
>  .
>    [ Jeremy Bicha ]
>    * Use group adm on Ubuntu for rotating logs
>    * debian/ubuntu-logrotate.conf: Update comment to /var/log/
>  .
>    [ Christian Göttsche ]
>    * New upstream version 3.20.1
>      - fix potential DoS from unprivileged users via the state file
>        (CVE-2022-1348)
>    * d/patches: drop upstream applied one
>    * d/control: bump to std version 4.6.1 (no further changes)
>    * d/control: reduce mailx from Recommends to Suggests
> Checksums-Sha1:
>  aad25b8efbf90b6e728e44c8ed9044371d53c53a 2230 logrotate_3.20.1-1.dsc
>  8290537d1009b2fc00a3dec81f6107f81e152f86 166712 logrotate_3.20.1.orig.tar.xz
>  972f4dd5f8e54108b378b4225601811b88a3903d 833 logrotate_3.20.1.orig.tar.xz.asc
>  dd7ee7961372f38ea0b9b7100fc5a1e9d20089be 19540 logrotate_3.20.1-1.debian.tar.xz
>  615879a1f9140d9c895cc2a399c039aefaf79b46 5831 logrotate_3.20.1-1_source.buildinfo
> Checksums-Sha256:
>  cc2d09c2f535ca1feb483c533d7aee59eb33a1b13def8190724f72818116147e 2230 logrotate_3.20.1-1.dsc
>  742f6d6e18eceffa49a4bacd933686d3e42931cfccfb694d7f6369b704e5d094 166712 logrotate_3.20.1.orig.tar.xz
>  c63c03c2db626209a1be2653d34ecd1eb6b3aee8da6dc17ab60ae32ef64bc8f2 833 logrotate_3.20.1.orig.tar.xz.asc
>  3e311c3dd1305f85040cfd58b90391ff985071d9b4835ad3badc5f865493dcd2 19540 logrotate_3.20.1-1.debian.tar.xz
>  e092e80dbfd74fa4d140607e2e53218afaead40965b4b3cf90f4b4b23ee2a8fd 5831 logrotate_3.20.1-1_source.buildinfo
> Files:
>  a38bcb8c79c375f6b79ddcd54618bad6 2230 admin important logrotate_3.20.1-1.dsc
>  24704642e1e6c7889edbe2b639636caf 166712 admin important logrotate_3.20.1.orig.tar.xz
>  901e32c72704d5f6a7b3fc6e3eadbe48 833 admin important logrotate_3.20.1.orig.tar.xz.asc
>  a4ab4b37eee318fb18047c31fc66effa 19540 admin important logrotate_3.20.1-1.debian.tar.xz
>  ebe8020e901981517491a6e9ffc5c3c4 5831 admin important logrotate_3.20.1-1_source.buildinfo
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAmKOtgkACgkQweDZLphv
> fH6GEA//e/NPO6L5yfYbpMZ0SUel05xfVJ80Yvrb9kKdcZdoreViyIPjBDKRLB6d
> EA6r5m6anu16qWVsAEtFsjyqQ485h7dQD3XcKSrtMwmx5txzPz9AjORAkPVn7KmR
> pAGeRCBkIvTtUnXXMmaQ2eyvibdtNnXUkyoMPX6S8BTL47zaKK8FHj+b4VZxArax
> qdXmF8E4+Mw+WPyMhOGArh+FCQmdcmYAJ2gOAcc1f2rDR9vE9jTl2QchRqfVWkTw
> 8Cvq8Zsdh4hskua3Lzs0UhHTo8Rqa5c2elsJ4D4IPgvzNv1sN6kjfk+Iq25lw+FX
> g7lrhmCkLI0ec9LtY3CQitklmlSRiZKjfVJE1Qtk6nHQ9VXPHqjm4DvJdSohrzAo
> QKFEp4/oWS3oj3dGVEycGO86rGCq37+qfL5qlTa7W5+IUVSV+5Ri6dhvWrGwG6Gd
> uW7V8XdlKf3xEiDky35sgI70p/zTum0lzAxJrSqa0AfFFBlVATEdmZQReN5LvwR0
> q/dHQI+fveuxN+xJqEdkSjT3S/bNUjb6tydhh5lRw8hiYl+tOH3SOgRB0m6E0uyK
> P5NGYd+be4LCSiu/6wtfh5EOIgKjEKRX86PMqLFXW8DzF/KwLhmCbbQJBmmDAR1m
> +bZ4ydLkvpe84MsgYzyJ5kVjVYsBcONHhY4QbF9Xy3ETSvkHJkg=
> =qcoO
> -----END PGP SIGNATURE-----
> 

Fixed with the new upstream verison upload.

Regards,
Salvatore

Send a report that this bug log contains spam.