A security flaw was found in the way logwatch, a log file analysis program, pre-processed log files, containing certain special characters in their names. A remote attacker could use this flaw to execute arbitrary code with the privileges of the privileged system user (root) by creating a specially-crafted log file, subsequently analyzed by the logwatch script. Upstream bug report: [1] http://sourceforge.net/tracker/?func=detail&aid=3184223&group_id=312875&atid=1316824 Related patch: [2] http://logwatch.svn.sourceforge.net/viewvc/logwatch?view=revision&revision=26 Other references: [3] http://sourceforge.net/mailarchive/forum.php?thread_name=4D604843.7040303%40mblmail.net&forum_name=logwatch-devel
How about this procedure: - Add logwatch 7.4.0 to the tree (bug #358807) - Mark 7.4.0 stable Jodging from releases dates only 7.4.0 should include this fix: * Mon Feb 28 2011 Karel Klic <kklic@redhat.com> - 7.3.6-60 - Added fix for CVE-2011-1018: Privilege escalation due improper sanitization of special characters in log file names (rhbz#680237) My source is <http://lwn.net/Articles/433042/>.
(In reply to comment #1) > How about this procedure: > - Add logwatch 7.4.0 to the tree (bug #358807) > - Mark 7.4.0 stable > > Jodging from releases dates only 7.4.0 should include this fix: > Looks like it does (I compared the 7.4.0 tarball to the fix at http://logwatch.svn.sourceforge.net/viewvc/logwatch/scripts/logwatch.pl?r1=3&r2=26&pathrev=26). Arches, please test and mark stable: =sys-apps/logwatch-7.4.0 Target keywords : "alpha amd64 arm hppa ppc ppc64 sparc x86"
synced now, there isn't it. http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-apps/logwatch/
(In reply to comment #3) > synced now, there isn't it. > > http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-apps/logwatch/ Ugh, sorry for the spam. (In reply to comment #1) > How about this procedure: > - Add logwatch 7.4.0 to the tree (bug #358807) > - Mark 7.4.0 stable > Sounds good to me!
CVE-2011-1018 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1018): logwatch.pl in Logwatch 7.3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in a log file name, as demonstrated via a crafted username to a Samba server.
12 Nov 2011; Pawel Hajdan jr <phajdan.jr@gentoo.org> +logwatch-7.4.0.ebuild: Version bump wrt bug #358807. Ok, lets try this again :) Arches, please test and mark stable: =sys-apps/logwatch-7.4.0 Target keywords : "alpha amd64 arm hppa ppc ppc64 sparc x86"
Stable on alpha.
amd64 stable
Stable for HPPA.
ppc done
x86 stable
arm stable
ppc64 done
sparc stable
Thanks, everyone. A GLSA request has already been filed and is ready for review.
This issue was resolved and addressed in GLSA 201203-20 at http://security.gentoo.org/glsa/glsa-201203-20.xml by GLSA coordinator Sean Amoss (ackle).