Opened 2 years ago
Closed 2 years ago
#16579 closed enhancement (fixed)
logrotate-3.20.1
| Reported by: | Douglas R. Reno | Owned by: | pierre |
|---|---|---|---|
| Priority: | normal | Milestone: | 11.2 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version
Change History (8)
comment:1 by , 2 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 2 years ago
logrotate-3.20.0
fix potential DoS from unprivileged users via the state file (CVE-2022-1348)
fix a misleading debug message with copytruncate and rotate 0 (#443)
add support for unsigned time_t (#438)
do not lock state file /dev/null (#433)
From https://nvd.nist.gov/vuln/detail/CVE-2022-1348
CVE-2022-1348 Detail
This vulnerability is currently awaiting analysis.
Description
A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0.
comment:4 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
comment:6 by , 2 years ago
| Status: | reopened → new |
|---|
comment:7 by , 2 years ago
| Status: | new → assigned |
|---|
comment:8 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
SA at www repository commit 46b2ed2.
logrotate-3.20.1