oss-sec mailing list archives
Re: Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file
From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Wed, 25 May 2022 10:07:34 -0400
On 2022-05-25 09:37, Kamil Dudka wrote:
On Wednesday, May 25, 2022 3:19:31 PM CEST Marc Deslauriers wrote:On 2022-05-18 09:54, Kamil Dudka wrote:The current version of the patch to fix CVE-2022-1348 in logrotate is attached. We are going to apply the patch upstream on May 25th, when the embargo is lifted.FWIW, I don't think the patch actually works when logrotate is built with ACL support... Marc.You are right. Although the patch mitigates the security issue, it is not perfect. I had already opened an upstream pull request to improve it: https://github.com/logrotate/logrotate/pull/446 I might create a bug fix release soon with the patch included. Sorry for the troubles! Kamil
Oh! I had not seen that pull request. Thanks, that should solve the issue! Marc.
Current thread:
- Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file Kamil Dudka (May 25)
- Re: Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file Marc Deslauriers (May 25)