Bug 1199652 - (CVE-2022-1348) VUL-0: CVE-2022-1348: logrotate: insecure permissions for state file creation
VUL-0: CVE-2022-1348: logrotate: insecure permissions for state file creation
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-05-18 07:26 UTC by Thomas Leroy
Modified: 2022-09-16 13:09 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-05-18 07:26:09 UTC
From linux-distros:


I would like to let you know about a vulnerability in logrotate, more 
information below.

A vulnerability was found in logrotate in versions 3.17.0 and newer in 
the way the state file is created. The state file is used to prevent 
parallel executions of multiple instances of logrotate by acquiring and 
releasing a file lock. When the state file does not exist, it is created 
with a default permission mode of 0644, and with an umask of 0022 
results in a world-readable file allowing an unprivileged user to lock 
the state file, stopping any rotation.


The CVE-2022-1348 has been assigned for this issue. At the moment this 
is being handled as embargoed and the proposed public date is May 25th.

I'm adding the logrotate upstream maintainer (kdudka@redhat.com) in the 
CC list to provide the patch for this issue.

Thanks and have a nice day,
Guilherme Suckevicz.
Comment 3 Thomas Leroy 2022-05-18 08:52:51 UTC
Based on the code, we should have the following codestreams affected:
- SUSE:SLE-15-SP4:Update
- openSUSE:Factory (to submit once the embargoed is lift)

We don't have a patch yet, I will let you know once we have it
Comment 7 David Anes 2022-05-25 14:13:38 UTC
Already disclosed by upstream.

Codestream             Vers.  Request
openSUSE:Factory       3.20.0 https://build.opensuse.org/request/show/979223
Comment 8 Thomas Leroy 2022-05-25 14:20:50 UTC
Thanks David! This PR [0] would also be required for a complete fix... 

[1] https://github.com/logrotate/logrotate/pull/446
Comment 9 David Anes 2022-05-25 15:20:35 UTC
(In reply to Thomas Leroy from comment #8)
> Thanks David! This PR [0] would also be required for a complete fix... 
> [1] https://github.com/logrotate/logrotate/pull/446

Uhm... done, but... although I prepared and backported that PR to older codestreams we should wait until it's merged, right? Or do I send it now? It is also needed on Factory (for now), isn't it?
Comment 10 David Anes 2022-05-25 15:23:03 UTC
Ok, merged 2 minutes ago... let me send the SR everywhere :)
Comment 15 Swamp Workflow Management 2022-07-14 13:23:16 UTC
SUSE-SU-2022:2396-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1192449,1199652,1200278,1200802
CVE References: CVE-2022-1348
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    logrotate-3.18.1-150400.3.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    logrotate-3.18.1-150400.3.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Carlos López 2022-09-16 13:09:50 UTC
Done, closing.