CVE-2022-1348

NameCVE-2022-1348
DescriptionA vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs1011644

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
logrotate (PTS)buster3.14.0-4fixed
bullseye3.18.0-2vulnerable
bookworm, sid3.20.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
logrotatesourcestretch(not affected)
logrotatesourcebuster(not affected)
logrotatesource(unstable)3.20.1-11011644

Notes

[bullseye] - logrotate <no-dsa> (Minor issue; pending via next point release)
[buster] - logrotate <not-affected> (Vulnerable code introduced later)
[stretch] - logrotate <not-affected> (Vulnerable code introduced later)
https://www.openwall.com/lists/oss-security/2022/05/25/3
Introduced by: https://github.com/logrotate/logrotate/commit/f46d0bdfc9c53515c13880c501f4d2e1e7dd8b25 (3.17.0)
https://github.com/logrotate/logrotate/pull/446
Fixed by: https://github.com/logrotate/logrotate/commit/1f76a381e2caa0603ae3dbc51ed0f1aa0d6658b9 (3.20.0)
Fixed by: https://github.com/logrotate/logrotate/commit/addbd293242b0b78aa54f054e6c1d249451f137d (3.20.1)
Packages are built with --with-state-file-path=/var/lib/logrotate/status
but /var/lib/logrotate has 0755 permissions, allowing a user to aquire a lock on the file.

Search for package or bug name: Reporting problems