Bug#615995: CVE-2011-1018

Tue, 01 Mar 2011 10:21:23 -0800 

Package: logwatch
Version: 7.3.6.cvs20090906-1
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu natty ubuntu-patch



*** /home/steve/tmp/tmpOr5E13
In Ubuntu, we've applied the attached patch to achieve the following:

  * SECURITY UPDATE: privileged code execution via badly named logfiles
    - scripts/logwatch.pl: encapsulate logfiles in 's and ensure logfile
      names don't contain '.
    - 
http://logwatch.svn.sourceforge.net/viewvc/logwatch?view=revision&revision=26
    - CVE-2011-1018

We thought you might be interested in doing the same.


-- System Information:
Debian Release: squeeze/sid
  APT prefers maverick-updates
  APT policy: (500, 'maverick-updates'), (500, 'maverick-security'), (500, 
'maverick-proposed'), (500, 'maverick')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35-27-server (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -u logwatch-7.3.6.cvs20090906/scripts/logwatch.pl logwatch-7.3.6.cvs20090906/scripts/logwatch.pl
--- logwatch-7.3.6.cvs20090906/scripts/logwatch.pl
+++ logwatch-7.3.6.cvs20090906/scripts/logwatch.pl
@@ -738,6 +738,10 @@
    my $DestFile =  $TempDir . $LogFile . "-archive";
    my $Archive;
    foreach $Archive (@{$LogFileData{$LogFile}{'archives'}}) {
+      if ($Archive =~ /'/) {
+         print "File $Archive has invalid embedded quotes.  File ignored.\n";
+	 next;
+      }
       my $CheckTime;
       # We need to find out what's the earliest log we need
       my @time_t = TimeBuild();
@@ -765,15 +769,15 @@
       my @FileStat = stat($Archive);
       if ($CheckTime <= ($FileStat[9])) {
          if (($Archive =~ m/gz$/) && (-f "$Archive") && (-s "$Archive")) {
-            my $arguments = "$Archive >> $DestFile";
+            my $arguments = "'${Archive}' >> $DestFile";
             system("$Config{'pathtozcat'} $arguments") == 0
                or die "system '$Config{'pathtozcat'} $arguments' failed: $?" 
          } elsif (($Archive =~ m/bz2$/) && (-f "$Archive") && (-s "$Archive")) {
-            my $arguments = "$Archive 2>/dev/null >> $DestFile";
+            my $arguments = "'${Archive}' 2>/dev/null >> $DestFile";
             system("$Config{'pathtobzcat'} $arguments") == 0
                or die "system '$Config{'pathtobzcat'} $arguments' failed: $?" 
          } elsif ((-f "$Archive") && (-s "$Archive")) {
-            my $arguments = "$Archive  >> $DestFile";
+            my $arguments = "'${Archive}'  >> $DestFile";
             system("$Config{'pathtocat'} $arguments") == 0
                or die "system '$Config{'pathtocat'} $arguments' failed: $?" 
          } #End if/elsif existence
@@ -785,6 +789,10 @@
    foreach my $ThisFile (@FileList) {
       #Existence check for files -mgt
       next unless (-f $ThisFile);
+      if ($ThisFile =~ /'/) {
+         print "File $ThisFile has invalid embedded quotes.  File ignored.\n";
+	 next;
+      }
       if (! -r $ThisFile) {
          print "File $ThisFile is not readable.  Check permissions.";
          if ($> != 0) {
@@ -794,7 +802,7 @@
          next;
       }
       #FIXME - We have a bug report for filenames with spaces, can be caught here needs test -mgt
-      $FileText .= ($ThisFile . " ");
+      $FileText .= ("'" . $ThisFile . "' ");
    } #End foreach ThisFile
 
    # remove the ENV entries set by previous service

Reply via email to