Arne Wichmann
2011-Aug-25 18:46 UTC
[Secure-testing-team] Bug#639302: logrotate: CVE-2011-1098, CVE-2011-1154 and CVE-2011-1155
Package: logrotate Version: 3.7.8-6 Severity: important Tags: security Justification: user security hole There are three security problems described for logrotate, one of them (the second) might allow attackers who can write into a directory with a log file to execute arbitrary commands: CVE-2011-1098 (Race condition in the createOutputFile function in logrotate.c in logrotate 3.7.9 and earlier allows local users to read log data by opening a file before the intended permissions are in place.) [1] CVE-2011-1154 (The shred_file function in logrotate.c in logrotate 3.7.9 and earlier might allow context-dependent attackers to execute arbitrary commands via shell metacharacters in a log filename, as demonstrated by a filename that is automatically constructed on the basis of a hostname or virtual machine name.) [2] CVE-2011-1155 (The writeState function in logrotate.c in logrotate 3.7.9 and earlier might allow context-dependent attackers to cause a denial of service (rotation outage) via a (1) \n (newline) or (2) \ (backslash) character in a log filename, as demonstrated by a filename that is automatically constructed on the basis of a hostname or virtual machine name.) [3] [1] http://security-tracker.debian.org/tracker/CVE-2011-1098 [2] http://security-tracker.debian.org/tracker/CVE-2011-1154 [3] http://security-tracker.debian.org/tracker/CVE-2011-1155 cu AW -- Package-specific info: Contents of /etc/logrotate.d total 76 -rw-r--r-- 1 root root 173 Oct 4 2010 apt -rw-r--r-- 1 root root 79 Apr 7 2005 aptitude -rw-r--r-- 1 root root 215 Apr 16 2008 checksecurity -rw-r--r-- 1 root root 135 Sep 2 2009 consolekit -rw-r--r-- 1 root root 180 Jun 18 2010 crossfire-server -rw-r--r-- 1 root root 173 Dec 6 2009 crossfire-server.dpkg-old -rw-r--r-- 1 root root 248 Jun 10 2008 cups -rw-r--r-- 1 root root 232 Aug 13 2010 dpkg -rw-r--r-- 1 root root 146 May 2 2008 exim4-base -rw-r--r-- 1 root root 126 May 2 2008 exim4-paniclog -rw-r--r-- 1 root root 237 Feb 23 2000 leafnode -rw-r--r-- 1 root root 117 Feb 16 2009 live-helper -rw-r--r-- 1 root root 157 Nov 30 2009 pm-utils -rw-r--r-- 1 root root 94 Oct 30 2003 ppp -rw-r--r-- 1 root root 429 Jun 23 2009 privoxy -rw-r--r-- 1 root root 88 Nov 20 2007 razor -rw-r--r-- 1 root root 67 Jan 30 2008 rsnapshot -rw-r--r-- 1 root root 68 Sep 2 2002 scrollkeeper -rw-r--r-- 1 root root 190 Jul 18 2008 tor -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, ''testing''), (500, ''stable''), (50, ''unstable''), (40, ''experimental'') Architecture: i386 (i686) Kernel: Linux 3.0.0 (PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages logrotate depends on: ii anacron 2.3-14 cron-like program that doesn''t go ii base-passwd 3.5.23 Debian base system master password ii cron 3.0pl1-118 process scheduling daemon ii libc6 2.13-10 Embedded GNU C Library: Shared lib ii libpopt0 1.16-1 lib for parsing cmdline parameters ii libselinux1 2.0.98-1.1 SELinux runtime shared libraries Versions of packages logrotate recommends: pn mailx <none> (no description available) logrotate suggests no packages. -- no debconf information