Bug 30638

Summary: logrotate new security issue bsc#1192449
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: logrotate-3.17.0-3.1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-07-15 19:35:30 CEST 
SUSE has issued an advisory on July 14:
https://lists.suse.com/pipermail/sle-security-updates/2022-July/011550.html

The issue was fixed upstream in 3.19.0:
https://github.com/logrotate/logrotate/releases/tag/3.19.0

It's this one:
"enforce stricter parsing of configuration files (#427, #431)"
David Walser 2022-07-15 19:36:01 CEST

Status comment: (none) => Fixed upstream in 3.19.0

Comment 1 Lewis Smith 2022-07-15 20:38:34 CEST 
We have both version 3.19.0 & version 3.20.1 already in Cauldron, but note this bug is for Mageia 8.
All sort of packagers have committed this, but assigning it to NicolasS because you did the most recent version update to fix a CVE.

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2022-07-18 11:04:30 CEST 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

Improved coredump handing for SUID binaries. (bsc#1192449)

References:
https://lists.suse.com/pipermail/sle-security-updates/2022-July/011550.html
https://github.com/logrotate/logrotate/releases/tag/3.19.0
========================

Updated package in core/updates_testing:
========================
logrotate-3.17.0-3.2.mga8

from SRPM:
logrotate-3.17.0-3.2.mga8.src.rpm

CC: (none) => nicolas.salguero
Status comment: Fixed upstream in 3.19.0 => (none)
Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs

Comment 3 Herman Viaene 2022-07-20 10:43:30 CEST 
MGA8-64  Plasma on Acer Aspire 5253
No installation issues
Just followed the tests as in bug 30473
# logrotate -l=logr.log //etc/logrotate.conf
# ll /var/lib/logrotate.status
-rw-r----- 1 root root 1071 Jul 20 10:39 /var/lib/logrotate.status
# /etc/cron.daily/logrotate
]# ll /var/lib/logrotate.status
-rw-r----- 1 root root 1071 Jul 20 10:40 /var/lib/logrotate.status
Looks all OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-07-20 15:10:43 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-07-25 20:09:20 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-07-25 23:43:10 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0266.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED