[Secure-testing-team] Bug#639302: logrotate: CVE-2011-1098, CVE-2011-1154 and CVE-2011-1155

Arne Wichmann aw at linux.de
Thu Aug 25 18:46:09 UTC 2011 

Package: logrotate
Version: 3.7.8-6
Severity: important
Tags: security
Justification: user security hole


There are three security problems described for logrotate, one of them (the
second) might allow attackers who can write into a directory with a log
file to execute arbitrary commands:

CVE-2011-1098 (Race condition in the createOutputFile function in
logrotate.c in logrotate 3.7.9 and earlier allows local users to read log
data by opening a file before the intended permissions are in place.) [1]

CVE-2011-1154 (The shred_file function in logrotate.c in logrotate 3.7.9
and earlier might allow context-dependent attackers to execute arbitrary
commands via shell metacharacters in a log filename, as demonstrated by a
filename that is automatically constructed on the basis of a hostname or
virtual machine name.) [2]

CVE-2011-1155 (The writeState function in logrotate.c in logrotate 3.7.9
and earlier might allow context-dependent attackers to cause a denial of
service (rotation outage) via a (1) \n (newline) or (2) \ (backslash)
character in a log filename, as demonstrated by a filename that is
automatically constructed on the basis of a hostname or virtual machine
name.) [3]

[1] http://security-tracker.debian.org/tracker/CVE-2011-1098
[2] http://security-tracker.debian.org/tracker/CVE-2011-1154
[3] http://security-tracker.debian.org/tracker/CVE-2011-1155

cu

AW

-- Package-specific info:
Contents of /etc/logrotate.d
total 76
-rw-r--r-- 1 root root 173 Oct  4  2010 apt
-rw-r--r-- 1 root root  79 Apr  7  2005 aptitude
-rw-r--r-- 1 root root 215 Apr 16  2008 checksecurity
-rw-r--r-- 1 root root 135 Sep  2  2009 consolekit
-rw-r--r-- 1 root root 180 Jun 18  2010 crossfire-server
-rw-r--r-- 1 root root 173 Dec  6  2009 crossfire-server.dpkg-old
-rw-r--r-- 1 root root 248 Jun 10  2008 cups
-rw-r--r-- 1 root root 232 Aug 13  2010 dpkg
-rw-r--r-- 1 root root 146 May  2  2008 exim4-base
-rw-r--r-- 1 root root 126 May  2  2008 exim4-paniclog
-rw-r--r-- 1 root root 237 Feb 23  2000 leafnode
-rw-r--r-- 1 root root 117 Feb 16  2009 live-helper
-rw-r--r-- 1 root root 157 Nov 30  2009 pm-utils
-rw-r--r-- 1 root root  94 Oct 30  2003 ppp
-rw-r--r-- 1 root root 429 Jun 23  2009 privoxy
-rw-r--r-- 1 root root  88 Nov 20  2007 razor
-rw-r--r-- 1 root root  67 Jan 30  2008 rsnapshot
-rw-r--r-- 1 root root  68 Sep  2  2002 scrollkeeper
-rw-r--r-- 1 root root 190 Jul 18  2008 tor


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.0.0 (PREEMPT)
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages logrotate depends on:
ii  anacron                       2.3-14     cron-like program that doesn't go 
ii  base-passwd                   3.5.23     Debian base system master password
ii  cron                          3.0pl1-118 process scheduling daemon
ii  libc6                         2.13-10    Embedded GNU C Library: Shared lib
ii  libpopt0                      1.16-1     lib for parsing cmdline parameters
ii  libselinux1                   2.0.98-1.1 SELinux runtime shared libraries

Versions of packages logrotate recommends:
pn  mailx                         <none>     (no description available)

logrotate suggests no packages.

-- no debconf information

More information about the Secure-testing-team mailing list