First Last Prev Next    This bug is not in your last search results.
Bug 1199652 - (CVE-2022-1348) VUL-0: CVE-2022-1348: logrotate: insecure permissions for state file creation
(CVE-2022-1348)
VUL-0: CVE-2022-1348: logrotate: insecure permissions for state file creation
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/332243/
CVSSv3.1:SUSE:CVE-2022-1348:5.1:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-05-18 07:26 UTC by Thomas Leroy
Modified: 2022-09-16 13:09 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-05-18 07:26:09 UTC 
From linux-distros:

Hi,

I would like to let you know about a vulnerability in logrotate, more 
information below.

A vulnerability was found in logrotate in versions 3.17.0 and newer in 
the way the state file is created. The state file is used to prevent 
parallel executions of multiple instances of logrotate by acquiring and 
releasing a file lock. When the state file does not exist, it is created 
with a default permission mode of 0644, and with an umask of 0022 
results in a world-readable file allowing an unprivileged user to lock 
the state file, stopping any rotation.

References:
https://github.com/logrotate/logrotate/blame/master/logrotate.c#L3015-L3017
https://github.com/logrotate/logrotate/commit/f46d0bdfc9c53515c13880c501f4d2e1e7dd8b25

The CVE-2022-1348 has been assigned for this issue. At the moment this 
is being handled as embargoed and the proposed public date is May 25th.

I'm adding the logrotate upstream maintainer (kdudka@redhat.com) in the 
CC list to provide the patch for this issue.

Thanks and have a nice day,
Guilherme Suckevicz.
Comment 3 Thomas Leroy 2022-05-18 08:52:51 UTC 
Based on the code, we should have the following codestreams affected:
- SUSE:SLE-15-SP4:Update
- openSUSE:Factory (to submit once the embargoed is lift)

We don't have a patch yet, I will let you know once we have it
Comment 7 David Anes 2022-05-25 14:13:38 UTC 
Already disclosed by upstream.


Codestream             Vers.  Request
----------------------------------------------------------------------
openSUSE:Factory       3.20.0 https://build.opensuse.org/request/show/979223
Comment 8 Thomas Leroy 2022-05-25 14:20:50 UTC 
Thanks David! This PR [0] would also be required for a complete fix... 

[1] https://github.com/logrotate/logrotate/pull/446
Comment 9 David Anes 2022-05-25 15:20:35 UTC 
(In reply to Thomas Leroy from comment #8)
> Thanks David! This PR [0] would also be required for a complete fix... 
> 
> [1] https://github.com/logrotate/logrotate/pull/446

Uhm... done, but... although I prepared and backported that PR to older codestreams we should wait until it's merged, right? Or do I send it now? It is also needed on Factory (for now), isn't it?
Comment 10 David Anes 2022-05-25 15:23:03 UTC 
Ok, merged 2 minutes ago... let me send the SR everywhere :)
Comment 15 Swamp Workflow Management 2022-07-14 13:23:16 UTC 
SUSE-SU-2022:2396-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1192449,1199652,1200278,1200802
CVE References: CVE-2022-1348
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    logrotate-3.18.1-150400.3.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    logrotate-3.18.1-150400.3.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Carlos López 2022-09-16 13:09:50 UTC 
Done, closing.
First Last Prev Next    This bug is not in your last search results.