Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <24add3d4-c09d-76d7-0dee-6e0c089ff0e6@canonical.com>
Date: Wed, 25 May 2022 10:07:34 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: oss-security@...ts.openwall.com, Kamil Dudka <kdudka@...hat.com>
Cc: Guilherme de Almeida Suckevicz <gsuckevi@...hat.com>
Subject: Re: Re: CVE-2022-1348 logrotate: potential DoS from
 unprivileged users via the state file

On 2022-05-25 09:37, Kamil Dudka wrote:
> On Wednesday, May 25, 2022 3:19:31 PM CEST Marc Deslauriers wrote:
>> On 2022-05-18 09:54, Kamil Dudka wrote:
>>> The current version of the patch to fix CVE-2022-1348 in logrotate is
>>> attached.  We are going to apply the patch upstream on May 25th, when
>>> the embargo is lifted.
>>
>> FWIW, I don't think the patch actually works when logrotate is built with
>> ACL support...
>>
>> Marc.
> 
> You are right.  Although the patch mitigates the security issue, it is not 
> perfect.  I had already opened an upstream pull request to improve it:
> 
>     https://github.com/logrotate/logrotate/pull/446
> 
> I might create a bug fix release soon with the patch included.
> 
> Sorry for the troubles!
> 
> Kamil
> 
> 

Oh! I had not seen that pull request. Thanks, that should solve the issue!

Marc.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.