oss-sec mailing list archives

Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file

From: Kamil Dudka <kdudka () redhat com>
Date: Wed, 25 May 2022 15:37:24 +0200

On Wednesday, May 25, 2022 3:19:31 PM CEST Marc Deslauriers wrote:

On 2022-05-18 09:54, Kamil Dudka wrote:

The current version of the patch to fix CVE-2022-1348 in logrotate is
attached.  We are going to apply the patch upstream on May 25th, when
the embargo is lifted.


FWIW, I don't think the patch actually works when logrotate is built with
ACL support...

Marc.


You are right.  Although the patch mitigates the security issue, it is not 
perfect.  I had already opened an upstream pull request to improve it:

    https://github.com/logrotate/logrotate/pull/446

I might create a bug fix release soon with the patch included.

Sorry for the troubles!

Kamil

Current thread:

Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file Kamil Dudka (May 25)
- Re: Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file Marc Deslauriers (May 25)
  - Re: Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file Kamil Dudka (May 25)