Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 25 May 2022 15:37:24 +0200
From: Kamil Dudka <kdudka@...hat.com>
To: Marc Deslauriers <marc.deslauriers@...onical.com>
Cc: oss-security@...ts.openwall.com, Guilherme de Almeida Suckevicz <gsuckevi@...hat.com>
Subject: Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file

On Wednesday, May 25, 2022 3:19:31 PM CEST Marc Deslauriers wrote:
> On 2022-05-18 09:54, Kamil Dudka wrote:
> > The current version of the patch to fix CVE-2022-1348 in logrotate is
> > attached.  We are going to apply the patch upstream on May 25th, when
> > the embargo is lifted.
> 
> FWIW, I don't think the patch actually works when logrotate is built with
> ACL support...
> 
> Marc.

You are right.  Although the patch mitigates the security issue, it is not 
perfect.  I had already opened an upstream pull request to improve it:

    https://github.com/logrotate/logrotate/pull/446

I might create a bug fix release soon with the patch included.

Sorry for the troubles!

Kamil

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.