Bug 1192449

Summary: VUL-0: logrotate: Core-dump handing with SUID binaries
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: Andreas.Stieger, david.anes, gabriele.sonnu, ismael.luceno, joao.silva, meissner, mhocko, pmonrealgonzalez, tiwai
Version: unspecifiedFlags: joao.silva: needinfo?
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/314425/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1191281, 1201712    
Bug Blocks:    
Attachments: PR#427 backport to 3.13.0
PR#427 backport to 3.13.0 (test cases)
PR#427 backport to 3.7.7

Description Marcus Meissner 2021-11-08 11:02:14 UTC 
related to https://bugzilla.suse.com/show_bug.cgi?id=1191281 / CVE-2021-3864

background is that logrotate processes logrotate snippets even if there is binary junk.

a common exploit vector is to have logrotate snippets in "core" files, which logrotate then picks and executes as root.

The logrotate folks have received this pull request (but not yet accepted it)

https://github.com/logrotate/logrotate/pull/427
Comment 1 Pedro Monreal Gonzalez 2021-11-08 17:02:55 UTC 
I can reproduce it. Hopefully, the pull request can finally be accepted and tested. I'll keep an eye upstream.
Comment 3 David Anes 2021-12-21 07:35:11 UTC 
The mentioned pull request has been merged. I'll take a look and see if I can backport the changes.
Comment 7 David Anes 2021-12-22 07:55:11 UTC 
Upstream got a follow up pull request with more test files:
https://github.com/logrotate/logrotate/pull/431
Comment 21 Swamp Workflow Management 2022-07-14 13:23:12 UTC 
SUSE-SU-2022:2396-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1192449,1199652,1200278,1200802
CVE References: CVE-2022-1348
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    logrotate-3.18.1-150400.3.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    logrotate-3.18.1-150400.3.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2022-07-14 18:53:16 UTC 
SUSE-SU-2022:2398-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1192449,1200278,1200802
CVE References: 
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    logrotate-3.11.0-2.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Ismael Luceno 2022-07-22 13:49:11 UTC 
test:531: if [ $SELINUX_TESTS = 1 ]; then

This needs quotes.
Comment 28 Swamp Workflow Management 2022-07-25 22:16:45 UTC 
SUSE-SU-2022:2547-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1192449,1200278,1200802
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    logrotate-3.13.0-150000.4.7.1
SUSE Manager Server 4.1 (src):    logrotate-3.13.0-150000.4.7.1
SUSE Manager Retail Branch Server 4.1 (src):    logrotate-3.13.0-150000.4.7.1
SUSE Manager Proxy 4.1 (src):    logrotate-3.13.0-150000.4.7.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    logrotate-3.13.0-150000.4.7.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    logrotate-3.13.0-150000.4.7.1
SUSE Linux Enterprise Server for SAP 15 (src):    logrotate-3.13.0-150000.4.7.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    logrotate-3.13.0-150000.4.7.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    logrotate-3.13.0-150000.4.7.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    logrotate-3.13.0-150000.4.7.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    logrotate-3.13.0-150000.4.7.1
SUSE Linux Enterprise Server 15-LTSS (src):    logrotate-3.13.0-150000.4.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    logrotate-3.13.0-150000.4.7.1
SUSE Linux Enterprise Micro 5.2 (src):    logrotate-3.13.0-150000.4.7.1
SUSE Linux Enterprise Micro 5.1 (src):    logrotate-3.13.0-150000.4.7.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    logrotate-3.13.0-150000.4.7.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    logrotate-3.13.0-150000.4.7.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    logrotate-3.13.0-150000.4.7.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    logrotate-3.13.0-150000.4.7.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    logrotate-3.13.0-150000.4.7.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    logrotate-3.13.0-150000.4.7.1
SUSE Enterprise Storage 7 (src):    logrotate-3.13.0-150000.4.7.1
SUSE Enterprise Storage 6 (src):    logrotate-3.13.0-150000.4.7.1
SUSE CaaS Platform 4.0 (src):    logrotate-3.13.0-150000.4.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Swamp Workflow Management 2022-09-01 15:36:28 UTC 
SUSE-SU-2022:2547-2: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1192449,1200278,1200802
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    logrotate-3.13.0-150000.4.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.