| Summary: | logrotate new security issue CVE-2022-1348 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | bequimao.de, davidwhodgins, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | logrotate-3.17.0-3.mga8.src.rpm | CVE: | CVE-2022-1348 |
| Status comment: | |||
|
Description
David Walser
2022-05-25 17:32:40 CEST
Indeed 3.20.1 is now released, fixing this. Cauldron should be updated. Commits to apply to Mageia 8 are linked in the message below: https://www.openwall.com/lists/oss-security/2022/05/25/5 Status comment:
(none) =>
Fixed upstream in 3.20.1
David Walser
2022-05-26 17:39:14 CEST
Whiteboard:
(none) =>
MGA8TOO Ubuntu has issued an advisory for this today (May 26): https://ubuntu.com/security/notices/USN-5447-1 Severity:
normal =>
major 'logrotate' has been committed by various people, so assigning this update globally. Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated package fixes a security vulnerability: A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0. (CVE-2022-1348) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1348 https://www.openwall.com/lists/oss-security/2022/05/25/3 https://www.openwall.com/lists/oss-security/2022/05/25/5 https://ubuntu.com/security/notices/USN-5447-1 ======================== Updated packages in core/updates_testing: ======================== logrotate-3.17.0-3.1.mga8 from SRPM: logrotate-3.17.0-3.1.mga8.src.rpm Whiteboard:
MGA8TOO =>
(none) Fedora has issued an advisory for this on May 28: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZYEB4F37BY6GLEJKP2EPVAVQ6TA3HQKR/ # dnf list logrotate Last metadata expiration check: 0:09:43 ago on Thu 02 Jun 2022 03:43:56 PM -03. Installed Packages logrotate.x86_64 3.17.0-3.1.mga8 @updates_testing-x86_64 Invoked # logrotate -l=logr.log //etc/logrotate.conf No errors reported. Ulrich Beckmann CC:
(none) =>
bequimao.de (In reply to Nicolas Salguero from comment #4) > Suggested advisory: > ======================== > > The updated package fixes a security vulnerability: > > A vulnerability was found in logrotate in how the state file is created. The > state file is used to prevent parallel executions of multiple instances of > logrotate by acquiring and releasing a file lock. When the state file does > not exist, it is created with world-readable permission, allowing an > unprivileged user to lock the state file, stopping any rotation. This flaw > affects logrotate versions before 3.20.0. (CVE-2022-1348) > > References: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1348 > https://www.openwall.com/lists/oss-security/2022/05/25/3 > https://www.openwall.com/lists/oss-security/2022/05/25/5 > https://ubuntu.com/security/notices/USN-5447-1 > ======================== > > Updated packages in core/updates_testing: > ======================== > logrotate-3.17.0-3.1.mga8 > > from SRPM: > logrotate-3.17.0-3.1.mga8.src.rpm Version no. 3.17. still contains the flaw. Why is the upgrade needed? Ulrich The fix is backported as a patches. https://svnweb.mageia.org/packages/updates/8/logrotate/current/SOURCES/CVE-2022-1348-1.patch?revision=1860848&view=markup https://svnweb.mageia.org/packages/updates/8/logrotate/current/SOURCES/CVE-2022-1348-2.patch?revision=1860848&view=markup The change in permission isn't applied until it's run for the first time after installing the update. [root@x8v ~]# ll /var/lib/logrotate.status -rw-r--r-- 1 root root 718 May 19 17:45 /var/lib/logrotate.status [root@x8v ~]# urpmi logrotate installing logrotate-3.17.0-3.1.mga8.x86_64.rpm from //root/qa-testing/x86_64 Preparing... ####################################################################################################################################################################################################### 1/1: logrotate ####################################################################################################################################################################################################### 1/1: removing logrotate-3.17.0-3.mga8.x86_64 ####################################################################################################################################################################################################### [root@x8v ~]# ll /var/lib/logrotate.status -rw-r--r-- 1 root root 718 May 19 17:45 /var/lib/logrotate.status [root@x8v ~]# /etc/cron.daily/logrotate [root@x8v ~]# ll /var/lib/logrotate.status -rw-r----- 1 root root 714 Jun 2 16:07 /var/lib/logrotate.status CC:
(none) =>
davidwhodgins
Dave Hodgins
2022-06-02 22:12:52 CEST
Keywords:
(none) =>
validated_update
Dave Hodgins
2022-06-02 22:33:06 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0217.html Status:
ASSIGNED =>
RESOLVED |