CVE-2022-1348

NameCVE-2022-1348
DescriptionA vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs1011644

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
logrotate (PTS)buster3.14.0-4fixed
bullseye3.18.0-2+deb11u1fixed
bookworm, sid3.20.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
logrotatesourcestretch(not affected)
logrotatesourcebuster(not affected)
logrotatesourcebullseye3.18.0-2+deb11u1
logrotatesource(unstable)3.20.1-11011644

Notes

[buster] - logrotate <not-affected> (Vulnerable code introduced later)
[stretch] - logrotate <not-affected> (Vulnerable code introduced later)
https://www.openwall.com/lists/oss-security/2022/05/25/3
Introduced by: https://github.com/logrotate/logrotate/commit/f46d0bdfc9c53515c13880c501f4d2e1e7dd8b25 (3.17.0)
https://github.com/logrotate/logrotate/pull/446
Fixed by: https://github.com/logrotate/logrotate/commit/1f76a381e2caa0603ae3dbc51ed0f1aa0d6658b9 (3.20.0)
Fixed by: https://github.com/logrotate/logrotate/commit/addbd293242b0b78aa54f054e6c1d249451f137d (3.20.1)
Packages are built with --with-state-file-path=/var/lib/logrotate/status
but /var/lib/logrotate has 0755 permissions, allowing a user to aquire a lock on the file.

Search for package or bug name: Reporting problems