oss-sec mailing list archives
Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file
From: Kamil Dudka <kdudka () redhat com>
Date: Wed, 25 May 2022 15:37:24 +0200
On Wednesday, May 25, 2022 3:19:31 PM CEST Marc Deslauriers wrote:
On 2022-05-18 09:54, Kamil Dudka wrote:The current version of the patch to fix CVE-2022-1348 in logrotate is attached. We are going to apply the patch upstream on May 25th, when the embargo is lifted.FWIW, I don't think the patch actually works when logrotate is built with ACL support... Marc.
You are right. Although the patch mitigates the security issue, it is not perfect. I had already opened an upstream pull request to improve it: https://github.com/logrotate/logrotate/pull/446 I might create a bug fix release soon with the patch included. Sorry for the troubles! Kamil
Current thread:
- Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file Kamil Dudka (May 25)
- Re: Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file Marc Deslauriers (May 25)