[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state
From: Kamil Dudka <kdudka () redhat ! com>
Date: 2022-05-25 15:41:03
Message-ID: 4449206.LvFx2qVVIh () nbkamil
[Download RAW message or body]
On Wednesday, May 25, 2022 4:07:34 PM CEST Marc Deslauriers wrote:
> On 2022-05-25 09:37, Kamil Dudka wrote:
> > On Wednesday, May 25, 2022 3:19:31 PM CEST Marc Deslauriers wrote:
> >> On 2022-05-18 09:54, Kamil Dudka wrote:
> >>> The current version of the patch to fix CVE-2022-1348 in logrotate is
> >>> attached. We are going to apply the patch upstream on May 25th, when
> >>> the embargo is lifted.
> >>
> >> FWIW, I don't think the patch actually works when logrotate is built with
> >> ACL support...
> >>
> >> Marc.
> >
> > You are right. Although the patch mitigates the security issue, it is not
> >
> > perfect. I had already opened an upstream pull request to improve it:
> > https://github.com/logrotate/logrotate/pull/446
> >
> > I might create a bug fix release soon with the patch included.
> >
> > Sorry for the troubles!
> >
> > Kamil
>
> Oh! I had not seen that pull request. Thanks, that should solve the issue!
>
> Marc.
Thanks for confirmation! I have merged the pull request and released 3.20.1:
https://github.com/logrotate/logrotate/releases/tag/3.20.1
The following two commits should be cherry-picked for older releases
of logrotate (from 3.17.0 to 3.19.0):
https://github.com/logrotate/logrotate/commit/1f76a381e2caa0603ae3dbc51ed0f1aa0d6658b9
https://github.com/logrotate/logrotate/commit/addbd293242b0b78aa54f054e6c1d249451f137d
Kamil
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic