Your message dated Thu, 26 May 2022 08:53:47 +0200
with message-id <[email protected]>
and subject line Re: Accepted logrotate 3.20.1-1 (source) into unstable
has caused the Debian Bug report #1011644,
regarding logrotate: CVE-2022-1348: potential DoS from unprivileged users via
the state file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1011644: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011644
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: logrotate
Version: 3.17.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 3.18.0-2
Control: found -1 3.19.0-2
Hi,
The following vulnerability was published for logrotate.
CVE-2022-1348[0]:
| A vulnerability was found in logrotate in how the state file is
| created. The state file is used to prevent parallel executions of
| multiple instances of logrotate by acquiring and releasing a file
| lock. When the state file does not exist, it is created with world-
| readable permission, allowing an unprivileged user to lock the state
| file, stopping any rotation. This flaw affects logrotate versions
| before 3.20.0.
Note that the issue is present as well in Debian even though we have
the state file from almost the beginning in /var/lib/logrotate/state,
as the /var/lib/logrotate directory has 0755 permissions allowing a
user to aquire the lock.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-1348
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1348
[1] https://www.openwall.com/lists/oss-security/2022/05/25/3
[2]
https://github.com/logrotate/logrotate/commit/1f76a381e2caa0603ae3dbc51ed0f1aa0d6658b9
(3.20.0)
[3]
https://github.com/logrotate/logrotate/commit/addbd293242b0b78aa54f054e6c1d249451f137d
(3.20.1)
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: logrotate
Source-Version: 3.20.1-1
On Wed, May 25, 2022 at 11:19:52PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Thu, 26 May 2022 00:15:57 +0200
> Source: logrotate
> Architecture: source
> Version: 3.20.1-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Christian Göttsche <[email protected]>
> Changed-By: Christian Göttsche <[email protected]>
> Changes:
> logrotate (3.20.1-1) unstable; urgency=medium
> .
> [ Jeremy Bicha ]
> * Use group adm on Ubuntu for rotating logs
> * debian/ubuntu-logrotate.conf: Update comment to /var/log/
> .
> [ Christian Göttsche ]
> * New upstream version 3.20.1
> - fix potential DoS from unprivileged users via the state file
> (CVE-2022-1348)
> * d/patches: drop upstream applied one
> * d/control: bump to std version 4.6.1 (no further changes)
> * d/control: reduce mailx from Recommends to Suggests
> Checksums-Sha1:
> aad25b8efbf90b6e728e44c8ed9044371d53c53a 2230 logrotate_3.20.1-1.dsc
> 8290537d1009b2fc00a3dec81f6107f81e152f86 166712 logrotate_3.20.1.orig.tar.xz
> 972f4dd5f8e54108b378b4225601811b88a3903d 833 logrotate_3.20.1.orig.tar.xz.asc
> dd7ee7961372f38ea0b9b7100fc5a1e9d20089be 19540
> logrotate_3.20.1-1.debian.tar.xz
> 615879a1f9140d9c895cc2a399c039aefaf79b46 5831
> logrotate_3.20.1-1_source.buildinfo
> Checksums-Sha256:
> cc2d09c2f535ca1feb483c533d7aee59eb33a1b13def8190724f72818116147e 2230
> logrotate_3.20.1-1.dsc
> 742f6d6e18eceffa49a4bacd933686d3e42931cfccfb694d7f6369b704e5d094 166712
> logrotate_3.20.1.orig.tar.xz
> c63c03c2db626209a1be2653d34ecd1eb6b3aee8da6dc17ab60ae32ef64bc8f2 833
> logrotate_3.20.1.orig.tar.xz.asc
> 3e311c3dd1305f85040cfd58b90391ff985071d9b4835ad3badc5f865493dcd2 19540
> logrotate_3.20.1-1.debian.tar.xz
> e092e80dbfd74fa4d140607e2e53218afaead40965b4b3cf90f4b4b23ee2a8fd 5831
> logrotate_3.20.1-1_source.buildinfo
> Files:
> a38bcb8c79c375f6b79ddcd54618bad6 2230 admin important logrotate_3.20.1-1.dsc
> 24704642e1e6c7889edbe2b639636caf 166712 admin important
> logrotate_3.20.1.orig.tar.xz
> 901e32c72704d5f6a7b3fc6e3eadbe48 833 admin important
> logrotate_3.20.1.orig.tar.xz.asc
> a4ab4b37eee318fb18047c31fc66effa 19540 admin important
> logrotate_3.20.1-1.debian.tar.xz
> ebe8020e901981517491a6e9ffc5c3c4 5831 admin important
> logrotate_3.20.1-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAmKOtgkACgkQweDZLphv
> fH6GEA//e/NPO6L5yfYbpMZ0SUel05xfVJ80Yvrb9kKdcZdoreViyIPjBDKRLB6d
> EA6r5m6anu16qWVsAEtFsjyqQ485h7dQD3XcKSrtMwmx5txzPz9AjORAkPVn7KmR
> pAGeRCBkIvTtUnXXMmaQ2eyvibdtNnXUkyoMPX6S8BTL47zaKK8FHj+b4VZxArax
> qdXmF8E4+Mw+WPyMhOGArh+FCQmdcmYAJ2gOAcc1f2rDR9vE9jTl2QchRqfVWkTw
> 8Cvq8Zsdh4hskua3Lzs0UhHTo8Rqa5c2elsJ4D4IPgvzNv1sN6kjfk+Iq25lw+FX
> g7lrhmCkLI0ec9LtY3CQitklmlSRiZKjfVJE1Qtk6nHQ9VXPHqjm4DvJdSohrzAo
> QKFEp4/oWS3oj3dGVEycGO86rGCq37+qfL5qlTa7W5+IUVSV+5Ri6dhvWrGwG6Gd
> uW7V8XdlKf3xEiDky35sgI70p/zTum0lzAxJrSqa0AfFFBlVATEdmZQReN5LvwR0
> q/dHQI+fveuxN+xJqEdkSjT3S/bNUjb6tydhh5lRw8hiYl+tOH3SOgRB0m6E0uyK
> P5NGYd+be4LCSiu/6wtfh5EOIgKjEKRX86PMqLFXW8DzF/KwLhmCbbQJBmmDAR1m
> +bZ4ydLkvpe84MsgYzyJ5kVjVYsBcONHhY4QbF9Xy3ETSvkHJkg=
> =qcoO
> -----END PGP SIGNATURE-----
>
Fixed with the new upstream verison upload.
Regards,
Salvatore
--- End Message ---
