Bug 30638 - logrotate new security issue bsc#1192449
Summary: logrotate new security issue bsc#1192449
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-07-15 19:35 CEST by David Walser
Modified: 2022-07-26 03:00 CEST (History)
5 users (show)

See Also:
Source RPM: logrotate-3.17.0-3.1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-07-15 19:35:30 CEST
SUSE has issued an advisory on July 14:
https://lists.suse.com/pipermail/sle-security-updates/2022-July/011550.html

The issue was fixed upstream in 3.19.0:
https://github.com/logrotate/logrotate/releases/tag/3.19.0

It's this one:
"enforce stricter parsing of configuration files (#427, #431)"
David Walser 2022-07-15 19:36:01 CEST

Status comment: (none) => Fixed upstream in 3.19.0

Comment 1 Lewis Smith 2022-07-15 20:38:34 CEST
We have both version 3.19.0 & version 3.20.1 already in Cauldron, but note this bug is for Mageia 8.
All sort of packagers have committed this, but assigning it to NicolasS because you did the most recent version update to fix a CVE.

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2022-07-18 11:04:30 CEST
Suggested advisory:
========================

The updated package fixes a security vulnerability:

Improved coredump handing for SUID binaries. (bsc#1192449)

References:
https://lists.suse.com/pipermail/sle-security-updates/2022-July/011550.html
https://github.com/logrotate/logrotate/releases/tag/3.19.0
========================

Updated package in core/updates_testing:
========================
logrotate-3.17.0-3.2.mga8

from SRPM:
logrotate-3.17.0-3.2.mga8.src.rpm

CC: (none) => nicolas.salguero
Status comment: Fixed upstream in 3.19.0 => (none)
Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs

Comment 3 Herman Viaene 2022-07-20 10:43:30 CEST
MGA8-64  Plasma on Acer Aspire 5253
No installation issues
Just followed the tests as in bug 30473
# logrotate -l=logr.log //etc/logrotate.conf
# ll /var/lib/logrotate.status
-rw-r----- 1 root root 1071 Jul 20 10:39 /var/lib/logrotate.status
# /etc/cron.daily/logrotate
]# ll /var/lib/logrotate.status
-rw-r----- 1 root root 1071 Jul 20 10:40 /var/lib/logrotate.status
Looks all OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-07-20 15:10:43 CEST
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-07-25 20:09:20 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-07-25 23:43:10 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0266.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.