Debian Bug report logs -
#615995
CVE-2011-1018
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Tue, 1 Mar 2011 16:21:04 UTC
Severity: grave
Tags: security
Found in version logwatch/7.3.6.cvs20090906-1
Fixed in versions logwatch/7.3.6.cvs20090906-2, 7.3.6.cvs20090906-2, logwatch/7.3.6.cvs20080702-2lenny1, logwatch/7.3.6.cvs20090906-1squeeze1
Done: Willi Mann <willi@wm1.at>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Willi Mann <willi@wm1.at>:
Bug#615995; Package logwatch.
(Tue, 01 Mar 2011 16:21:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Willi Mann <willi@wm1.at>.
(Tue, 01 Mar 2011 16:21:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: logwatch
Severity: grave
Tags: security
Please see https://bugzilla.redhat.com/show_bug.cgi?id=680237
for references.
This is http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1018
Cheers,
Moritz
-- System Information:
Debian Release: 5.0.1
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.32-ucs35-amd64
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Information forwarded
to debian-bugs-dist@lists.debian.org, Willi Mann <willi@wm1.at>:
Bug#615995; Package logwatch.
(Tue, 01 Mar 2011 18:21:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve Beattie <sbeattie@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Willi Mann <willi@wm1.at>.
(Tue, 01 Mar 2011 18:21:07 GMT) (full text, mbox, link).
Message #10 received at 615995@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: logwatch
Version: 7.3.6.cvs20090906-1
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu natty ubuntu-patch
*** /home/steve/tmp/tmpOr5E13
In Ubuntu, we've applied the attached patch to achieve the following:
* SECURITY UPDATE: privileged code execution via badly named logfiles
- scripts/logwatch.pl: encapsulate logfiles in 's and ensure logfile
names don't contain '.
- http://logwatch.svn.sourceforge.net/viewvc/logwatch?view=revision&revision=26
- CVE-2011-1018
We thought you might be interested in doing the same.
-- System Information:
Debian Release: squeeze/sid
APT prefers maverick-updates
APT policy: (500, 'maverick-updates'), (500, 'maverick-security'), (500, 'maverick-proposed'), (500, 'maverick')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.35-27-server (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
[tmpOK01y0 (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#615995; Package logwatch.
(Wed, 02 Mar 2011 11:42:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Willi Mann <willi@wm1.at>:
Extra info received and forwarded to list.
(Wed, 02 Mar 2011 11:42:10 GMT) (full text, mbox, link).
Message #15 received at 615995@bugs.debian.org (full text, mbox, reply):
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=680237
> for references.
>
> This is http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1018
Thanks for the report. I'll ask my sponsor to upload
http://pkg-logwatch.alioth.debian.org/apt/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-2.dsc
to unstable.
I know that a new upstream version is available, but this takes more
time for preparation.
Moritz, will you prepare the uploads for stable and oldstable? This is
the first time one of my packages is involved in a security issue.
Willi
Reply sent
to Willi Mann <willi@wm1.at>:
You have taken responsibility.
(Wed, 02 Mar 2011 16:51:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Wed, 02 Mar 2011 16:51:03 GMT) (full text, mbox, link).
Message #20 received at 615995-close@bugs.debian.org (full text, mbox, reply):
Source: logwatch
Source-Version: 7.3.6.cvs20090906-2
We believe that the bug you reported is fixed in the latest version of
logwatch, which is due to be installed in the Debian FTP archive:
logwatch_7.3.6.cvs20090906-2.diff.gz
to main/l/logwatch/logwatch_7.3.6.cvs20090906-2.diff.gz
logwatch_7.3.6.cvs20090906-2.dsc
to main/l/logwatch/logwatch_7.3.6.cvs20090906-2.dsc
logwatch_7.3.6.cvs20090906-2_all.deb
to main/l/logwatch/logwatch_7.3.6.cvs20090906-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 615995@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Willi Mann <willi@wm1.at> (supplier of updated logwatch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 02 Mar 2011 08:57:07 +0100
Source: logwatch
Binary: logwatch
Architecture: source all
Version: 7.3.6.cvs20090906-2
Distribution: unstable
Urgency: high
Maintainer: Willi Mann <willi@wm1.at>
Changed-By: Willi Mann <willi@wm1.at>
Description:
logwatch - log analyser with nice output written in Perl
Closes: 615995
Changes:
logwatch (7.3.6.cvs20090906-2) unstable; urgency=high
.
* CVE-2011-1018: Remote code execution by combination of
- Logfile name by attacker's choice (e.g. samba log files) and
- Missing sanitization of logfile names in system() call.
- fix by encapsulating logfile names in ' and disallowing '.
Taken from upstream.
- closes: #615995
Checksums-Sha1:
0ef0c83995ba12417cdbc4cc81bbc58bd22660c0 1817 logwatch_7.3.6.cvs20090906-2.dsc
0529236dee684b048934ba86065ea2f2b11e5365 88486 logwatch_7.3.6.cvs20090906-2.diff.gz
c6de469267a16291becd59a3b8eb0d074633754d 400212 logwatch_7.3.6.cvs20090906-2_all.deb
Checksums-Sha256:
294eab0b0b144b952672d8330e795b317492ff7850e617c912f85003d9803b2e 1817 logwatch_7.3.6.cvs20090906-2.dsc
41f00f1ba160af0914238aabbdec6910a9e95eaa56b7cd6b99e5623197353a6c 88486 logwatch_7.3.6.cvs20090906-2.diff.gz
42c93d69d8b6360a19ff582927197f2ff693a07005c6de001ed46613b6d2d6be 400212 logwatch_7.3.6.cvs20090906-2_all.deb
Files:
de44b2aee52a4ecd1466781bcdcd9559 1817 admin optional logwatch_7.3.6.cvs20090906-2.dsc
989926c7678d7cdbdc8bb282e81fc2c2 88486 admin optional logwatch_7.3.6.cvs20090906-2.diff.gz
b7ecbd90981771f8963839f0dd1ba7b9 400212 admin optional logwatch_7.3.6.cvs20090906-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJNbnFQAAoJECHSBYmXSz6WBhsQAMwNlJTwCZyhXYlrtoWGPaal
fy6J3L4nLqVKJBFurFBWqp/+vxrM1y6P2gkAwubUNkwdKeeZGLjhk4Y7hvx5knoK
cDAzxresIdf/K/xtA9wdYWrZI4DuUyzgTlLWMRNtSlg8pbUhcR5gEm+H+nz6DhaM
a/YT6k3nO/Upbuwx5xffAMKHLtzKBvySZPa0OstFkvVQn/dxT/7LETPNGYYgcSD2
nVkESTT6T1fcK49X4ohoenpTdzpPHR1pB6YT+lGZAePeoGFryrQf3Ri6H4rPCvAI
T3EFqBzlyLMmkmmQE3x5M0NVRMET+78poJZ19vX5S7hFZ4XTQq9KSoxudkT2JUQc
N7/UmtzOgfl3NPB9ExHbMBJU0SqCIBdTCy32XSq6+vGAG+ciCubcLswlwWxChWKN
KCt9rZUGIBRimjlZJJkE91wWgOLj2DTfKc5BnHjq6CNDP0OzxIhQ6cK0rpJzaYHB
Pqi++1fAXhJmdEVau1mfppH8BxCLNguJ3VUcTK/buCDC5NZC887h/+uWdJLxFJ77
8T7N4Ne3Ue1FEMNi9zOzkFnpFYAFvpHA+6JO4pcQA1usae3kdrw0QxiMyBFBODTJ
S5PetBrOkgpWGQcVp4P0hZVzmfjxTY0SeyXoHZzJu487WwiJt5zYvxdo4Up8UUJj
wrl7Bnbx+N+z/a0iovM5
=QzJq
-----END PGP SIGNATURE-----
Bug No longer marked as fixed in versions logwatch/7.3.6.cvs20090906-2 and reopened.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 03 Mar 2011 00:00:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Willi Mann <willi@wm1.at>:
Bug#615995; Package logwatch.
(Thu, 03 Mar 2011 00:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to henri@nerv.fi:
Extra info received and forwarded to list. Copy sent to Willi Mann <willi@wm1.at>.
(Thu, 03 Mar 2011 00:09:03 GMT) (full text, mbox, link).
Message #27 received at 615995@bugs.debian.org (full text, mbox, reply):
I am reopening this issue, because there is releases, which hasn't been patched yet.
http://security-tracker.debian.org/tracker/CVE-2011-1018
Best regards,
Henri Salo
Information forwarded
to debian-bugs-dist@lists.debian.org, Willi Mann <willi@wm1.at>:
Bug#615995; Package logwatch.
(Thu, 03 Mar 2011 15:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Willi Mann <willi@wm1.at>.
(Thu, 03 Mar 2011 15:15:03 GMT) (full text, mbox, link).
Message #32 received at 615995@bugs.debian.org (full text, mbox, reply):
On Thu, Mar 3, 2011 at 01:58:54 +0200, henri@nerv.fi wrote:
> I am reopening this issue, because there is releases, which hasn't been patched yet.
>
That's not an appropriate reason for reopen. The bts has version
tracking for a reason. If the bug is fixed in unstable, then this bug
should stay closed.
Cheers,
Julien
Bug Marked as fixed in versions logwatch/7.3.6.cvs20090906-2.
Request was from henri@nerv.fi
to control@bugs.debian.org.
(Thu, 03 Mar 2011 15:21:02 GMT) (full text, mbox, link).
Reply sent
to henri@nerv.fi:
You have taken responsibility.
(Thu, 03 Mar 2011 15:45:13 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Thu, 03 Mar 2011 15:45:13 GMT) (full text, mbox, link).
Message #39 received at 615995-done@bugs.debian.org (full text, mbox, reply):
Version: 7.3.6.cvs20090906-2
Reply sent
to Willi Mann <willi@wm1.at>:
You have taken responsibility.
(Sat, 05 Mar 2011 20:00:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Sat, 05 Mar 2011 20:00:06 GMT) (full text, mbox, link).
Message #44 received at 615995-close@bugs.debian.org (full text, mbox, reply):
Source: logwatch
Source-Version: 7.3.6.cvs20080702-2lenny1
We believe that the bug you reported is fixed in the latest version of
logwatch, which is due to be installed in the Debian FTP archive:
logwatch_7.3.6.cvs20080702-2lenny1.diff.gz
to main/l/logwatch/logwatch_7.3.6.cvs20080702-2lenny1.diff.gz
logwatch_7.3.6.cvs20080702-2lenny1.dsc
to main/l/logwatch/logwatch_7.3.6.cvs20080702-2lenny1.dsc
logwatch_7.3.6.cvs20080702-2lenny1_all.deb
to main/l/logwatch/logwatch_7.3.6.cvs20080702-2lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 615995@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Willi Mann <willi@wm1.at> (supplier of updated logwatch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 03 Mar 2011 19:49:55 +0100
Source: logwatch
Binary: logwatch
Architecture: source all
Version: 7.3.6.cvs20080702-2lenny1
Distribution: oldstable-security
Urgency: high
Maintainer: Willi Mann <willi@wm1.at>
Changed-By: Willi Mann <willi@wm1.at>
Description:
logwatch - log analyser with nice output written in Perl
Closes: 615995
Changes:
logwatch (7.3.6.cvs20080702-2lenny1) oldstable-security; urgency=high
.
* CVE-2011-1018: Remote code execution by combination of
- Logfile name by attacker's choice (e.g. samba log files) and
- Missing sanitization of logfile names in system() call.
- fix by encapsulating logfile names in ' and disallowing '.
Taken from upstream.
- closes: #615995
Checksums-Sha1:
e92afa0e0444f0718471a5b9774e6ee76486c6ce 1492 logwatch_7.3.6.cvs20080702-2lenny1.dsc
35141e56e023e525deefb4a43d5b0ae7d5df9774 276521 logwatch_7.3.6.cvs20080702.orig.tar.gz
19ba6e40e7e15aa63dd199e47c9f8cc9612a865e 73715 logwatch_7.3.6.cvs20080702-2lenny1.diff.gz
824b0bdbbe3691dd4c289a970dffea72673ac427 323778 logwatch_7.3.6.cvs20080702-2lenny1_all.deb
Checksums-Sha256:
522c0fa669024731d5af6e8333cf83c86d8581f55c4c5678523d9948584cd7a7 1492 logwatch_7.3.6.cvs20080702-2lenny1.dsc
d77aa8a9dace4e2863459c744b7ab2519b013b3b68fae5b67cc9198654e80f55 276521 logwatch_7.3.6.cvs20080702.orig.tar.gz
480846672300545d5c62bca7103bca66e6e9048b171b0683b3910332d10a8419 73715 logwatch_7.3.6.cvs20080702-2lenny1.diff.gz
a3604deeda3ec4c2536da687cc92791d3190587c5257efec9f1b5cd79e297a8a 323778 logwatch_7.3.6.cvs20080702-2lenny1_all.deb
Files:
15007246b2c48958577c72977f7b9068 1492 admin optional logwatch_7.3.6.cvs20080702-2lenny1.dsc
c9f616695211e8e8615b79f56683cdd4 276521 admin optional logwatch_7.3.6.cvs20080702.orig.tar.gz
5a2b21437050923e9699818a50bfaad0 73715 admin optional logwatch_7.3.6.cvs20080702-2lenny1.diff.gz
1358708d2fbeb26ba6059679047aefe7 323778 admin optional logwatch_7.3.6.cvs20080702-2lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJNcJ6zAAoJEL97/wQC1SS+MmMIAIyooGR41w+YgGpI0m/pwD9Z
iURj66cnEN3POL68DWNZFj57pTMPJ8J3nm+UMEPeu1PavxIAnAsKoN7zwRBl7MNd
EIpSH4V/H5FS7BXECDiuRztkioReKOqls6H0xmiuqHYudvp5Dns/abkWg0Q82XkV
I2wBapC4ndO+l+EoC1j9D8tVldA7Tq2afs1Kj8bFooadatFbQ/znyo+gknyd9rXS
hYphSjr4MiTBpgZ7k6BYAuYg98fSrnMPR1yJogEtbvwe8TFpjeUU8Wd/ixQiKzGY
/LOXmJ8ukyoA7YNK13Qf0vy7WoP1LbINrjtoLQWiQ13IdnyZeHUNi4LViS5XU6s=
=hcWl
-----END PGP SIGNATURE-----
Reply sent
to Willi Mann <willi@wm1.at>:
You have taken responsibility.
(Sat, 05 Mar 2011 20:00:08 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Sat, 05 Mar 2011 20:00:09 GMT) (full text, mbox, link).
Message #49 received at 615995-close@bugs.debian.org (full text, mbox, reply):
Source: logwatch
Source-Version: 7.3.6.cvs20090906-1squeeze1
We believe that the bug you reported is fixed in the latest version of
logwatch, which is due to be installed in the Debian FTP archive:
logwatch_7.3.6.cvs20090906-1squeeze1.diff.gz
to main/l/logwatch/logwatch_7.3.6.cvs20090906-1squeeze1.diff.gz
logwatch_7.3.6.cvs20090906-1squeeze1.dsc
to main/l/logwatch/logwatch_7.3.6.cvs20090906-1squeeze1.dsc
logwatch_7.3.6.cvs20090906-1squeeze1_all.deb
to main/l/logwatch/logwatch_7.3.6.cvs20090906-1squeeze1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 615995@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Willi Mann <willi@wm1.at> (supplier of updated logwatch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 02 Mar 2011 08:57:07 +0100
Source: logwatch
Binary: logwatch
Architecture: source all
Version: 7.3.6.cvs20090906-1squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Willi Mann <willi@wm1.at>
Changed-By: Willi Mann <willi@wm1.at>
Description:
logwatch - log analyser with nice output written in Perl
Closes: 615995
Changes:
logwatch (7.3.6.cvs20090906-1squeeze1) stable-security; urgency=high
.
* CVE-2011-1018: Remote code execution by combination of
- Logfile name by attacker's choice (e.g. samba log files) and
- Missing sanitization of logfile names in system() call.
- fix by encapsulating logfile names in ' and disallowing '.
Taken from upstream.
- closes: #615995
Checksums-Sha1:
be293abebeaf385322af445fb3e7069a682d7e5b 1500 logwatch_7.3.6.cvs20090906-1squeeze1.dsc
20901e498220a3ba8f71680da1adc1ad1c13552a 338115 logwatch_7.3.6.cvs20090906.orig.tar.gz
7022a4af62669ab181f27b06d2829c0cc85b1369 88026 logwatch_7.3.6.cvs20090906-1squeeze1.diff.gz
982202e34d194bb1e7e68e5c7f1bce3d299cb001 396658 logwatch_7.3.6.cvs20090906-1squeeze1_all.deb
Checksums-Sha256:
ac32db5c066fa10f5a8ec09b9d407c05dce112772b5831a156d571bcb4f3bd9e 1500 logwatch_7.3.6.cvs20090906-1squeeze1.dsc
8f4b237a4e58c0ce46cb0498b1220237848c697668d307277265e6962e808d0d 338115 logwatch_7.3.6.cvs20090906.orig.tar.gz
e6f9e8393d4bd0fac098e4f457c231029262d6210bd0a7bba5066344e475cdc3 88026 logwatch_7.3.6.cvs20090906-1squeeze1.diff.gz
b86584eb33f1d41841c84e4f36a9a1b3e07b5aa3ab7c59c4612219932568f231 396658 logwatch_7.3.6.cvs20090906-1squeeze1_all.deb
Files:
95f7e5ff9eb178a01784200ec1be7895 1500 admin optional logwatch_7.3.6.cvs20090906-1squeeze1.dsc
b12229916e0a5891a8c1da59afb61e40 338115 admin optional logwatch_7.3.6.cvs20090906.orig.tar.gz
8b106414d2c0edebe954a06cc515d7e2 88026 admin optional logwatch_7.3.6.cvs20090906-1squeeze1.diff.gz
0b8af406daf57a6c1bb7f29131913da0 396658 admin optional logwatch_7.3.6.cvs20090906-1squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJNcJ62AAoJEL97/wQC1SS+h84H/iO5DIYM8SLTYiYIqlDHDDp5
YI+GdBZ23+O6SyKWRKoJjZu1iK3bxNz6dAfmT3NlKW4KimriRdyInusrY8p40Gw5
glBNLPD8O2JXJ7VNAxkKPDpot1lcZo8P7RQ2DyUEPg0DruYlybbjl5+Z9Ti2ztuf
fHdrQgyzxR4EfDZ4cJxl4X1Bu4Cp6lfS5eLwwJ4L5LNycCRnQZymVK55XWbXGRwC
Dj4CsF8gXdXSxr3ZaOiaKLwgqXHH7cR9WFl13oudxWFMV28l0V3+MtDbwCfGbr50
JOF3smN27LffsaUOaKMbi95g+KzHZe9kUIAtTNIGNY28CHivGxJyyTWRlj3Oog8=
=OeIV
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 30 Apr 2011 09:00:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:40:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon