Bug 2062

Summary: Official update request: logrotate, fixing CVE-2011-1154, CVE-2011-1098, CVE-2011-1155
Product: Mageia Reporter: Ahmad Samir <ahmadsamir3891>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, lists.jjorge, misc, stormi-mageia
Version: 1   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: logrotate-3.7.9-3.mga1 CVE:
Status comment:

Description Ahmad Samir 2011-07-07 08:43:51 CEST 
This is a copy/paste from https://rhn.redhat.com/errata/RHSA-2011-0407.html

Also, I don't have test cases.

Fixed package(s) is logrotate-3.7.9-3.1.mga1 from the core/updates_testing repository.

Proposed Advisory text:
=========================================
Some security issues were found in the logrotate package:

A shell command injection flaw was found in the way logrotate handled the
shred directive. A specially-crafted log file could cause logrotate to
execute arbitrary commands with the privileges of the user running
logrotate (root, by default). (CVE-2011-1154)

A race condition flaw was found in the way logrotate applied permissions
when creating new log files. In some specific configurations, a local
attacker could use this flaw to open new log files before logrotate applies
the final permissions, possibly leading to the disclosure of sensitive
information. (CVE-2011-1098)

An input sanitization flaw was found in logrotate. A log file with a
specially-crafted file name could cause logrotate to abort when attempting
to process that file a subsequent time. (CVE-2011-1155)

This update fixes all those issues.
======================================
Ahmad Samir 2011-07-07 08:44:04 CEST

Assignee: bugsquad => qa-bugs

Comment 1 Dave Hodgins 2011-07-08 22:56:35 CEST 
Installed on my i586 system, and it ran ok with cron.daily this morning.

I'll wait till Sunday to confirm it will actually rotate the log.
Hopefully someone with an x86-64 system will have it installed
for testing on Sunday.

Package
logrotate
srpm
logrotate-3.7.9-3.1.mga1.src.rpm

It's currently in Core Updates Testing.

CC: (none) => davidwhodgins

Comment 2 Dave Hodgins 2011-07-11 22:16:15 CEST 
Testing complete on i586.  The logs were rotated as expected.
Anyone testing on x86-64?
Comment 3 Samuel Verschelde 2011-07-19 11:02:00 CEST 
This update still needs testing on x86_64

CC: (none) => stormi

Comment 4 José Jorge 2011-07-19 11:59:16 CEST 
You are right, I forgot to report : installed on x86_64 for one week, all seems OK.

CC: (none) => lists.jjorge

Comment 5 Michael Scherer 2011-07-19 23:32:13 CEST 
Sent to updates

Status: NEW => RESOLVED
CC: (none) => misc
Resolution: (none) => FIXED