Re: Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file

[Marc Deslauriers <marc.deslauriers () canonical com>]

On 2022-05-25 09:37, Kamil Dudka wrote:
> On Wednesday, May 25, 2022 3:19:31 PM CEST Marc Deslauriers wrote:
> > On 2022-05-18 09:54, Kamil Dudka wrote:
> > > The current version of the patch to fix CVE-2022-1348 in logrotate is
> > > attached.  We are going to apply the patch upstream on May 25th, when
> > > the embargo is lifted.
> >
> > FWIW, I don't think the patch actually works when logrotate is built with
> > ACL support...
> >
> > Marc.
>
> You are right.  Although the patch mitigates the security issue, it is not 
> perfect.  I had already opened an upstream pull request to improve it:
>
>     https://github.com/logrotate/logrotate/pull/446
>
> I might create a bug fix release soon with the patch included.
>
> Sorry for the troubles!
>
> Kamil

Oh! I had not seen that pull request. Thanks, that should solve the issue!

Marc.