Summary: | <sys-apps/logwatch-7.4.0: Privilege escalation due improper sanitization of special characters in log file names (CVE-2011-1018) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Paweł Hajdan, Jr. (RETIRED) <phajdan.jr> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | base-system, hollow, jesse |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=680237 | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Paweł Hajdan, Jr. (RETIRED)
2011-02-25 07:32:55 UTC
How about this procedure: - Add logwatch 7.4.0 to the tree (bug #358807) - Mark 7.4.0 stable Jodging from releases dates only 7.4.0 should include this fix: * Mon Feb 28 2011 Karel Klic <kklic@redhat.com> - 7.3.6-60 - Added fix for CVE-2011-1018: Privilege escalation due improper sanitization of special characters in log file names (rhbz#680237) My source is <http://lwn.net/Articles/433042/>. (In reply to comment #1) > How about this procedure: > - Add logwatch 7.4.0 to the tree (bug #358807) > - Mark 7.4.0 stable > > Jodging from releases dates only 7.4.0 should include this fix: > Looks like it does (I compared the 7.4.0 tarball to the fix at http://logwatch.svn.sourceforge.net/viewvc/logwatch/scripts/logwatch.pl?r1=3&r2=26&pathrev=26). Arches, please test and mark stable: =sys-apps/logwatch-7.4.0 Target keywords : "alpha amd64 arm hppa ppc ppc64 sparc x86" synced now, there isn't it. http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-apps/logwatch/ (In reply to comment #3) > synced now, there isn't it. > > http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-apps/logwatch/ Ugh, sorry for the spam. (In reply to comment #1) > How about this procedure: > - Add logwatch 7.4.0 to the tree (bug #358807) > - Mark 7.4.0 stable > Sounds good to me! CVE-2011-1018 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1018): logwatch.pl in Logwatch 7.3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in a log file name, as demonstrated via a crafted username to a Samba server. 12 Nov 2011; Pawel Hajdan jr <phajdan.jr@gentoo.org> +logwatch-7.4.0.ebuild: Version bump wrt bug #358807. Ok, lets try this again :) Arches, please test and mark stable: =sys-apps/logwatch-7.4.0 Target keywords : "alpha amd64 arm hppa ppc ppc64 sparc x86" Stable on alpha. amd64 stable Stable for HPPA. ppc done x86 stable arm stable ppc64 done sparc stable Thanks, everyone. A GLSA request has already been filed and is ready for review. This issue was resolved and addressed in GLSA 201203-20 at http://security.gentoo.org/glsa/glsa-201203-20.xml by GLSA coordinator Sean Amoss (ackle). |