Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 356387 (CVE-2011-1018) - <sys-apps/logwatch-7.4.0: Privilege escalation due improper sanitization of special characters in log file names (CVE-2011-1018)
Summary: <sys-apps/logwatch-7.4.0: Privilege escalation due improper sanitization of s...
Status: RESOLVED FIXED
Alias: CVE-2011-1018
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-02-25 07:32 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2012-03-28 10:55 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-25 07:32:55 UTC
A security flaw was found in the way logwatch, a log file
analysis program, pre-processed log files, containing certain
special characters in their names. A remote attacker could
use this flaw to execute arbitrary code with the privileges
of the privileged system user (root) by creating a 
specially-crafted log file, subsequently analyzed by the
logwatch script.

Upstream bug report:
[1]
http://sourceforge.net/tracker/?func=detail&aid=3184223&group_id=312875&atid=1316824

Related patch:
[2]
http://logwatch.svn.sourceforge.net/viewvc/logwatch?view=revision&revision=26

Other references:
[3]
http://sourceforge.net/mailarchive/forum.php?thread_name=4D604843.7040303%40mblmail.net&forum_name=logwatch-devel
Comment 1 Sebastian Pipping gentoo-dev 2011-03-14 09:37:20 UTC
How about this procedure:
- Add logwatch 7.4.0 to the tree (bug #358807)
- Mark 7.4.0 stable

Jodging from releases dates only 7.4.0 should include this fix:

  * Mon Feb 28 2011 Karel Klic <kklic@redhat.com> - 7.3.6-60
  - Added fix for CVE-2011-1018: Privilege escalation due improper
    sanitization of special characters in log file names (rhbz#680237)

My source is <http://lwn.net/Articles/433042/>.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-03-22 21:56:15 UTC
(In reply to comment #1)
> How about this procedure:
> - Add logwatch 7.4.0 to the tree (bug #358807)
> - Mark 7.4.0 stable
> 
> Jodging from releases dates only 7.4.0 should include this fix:
> 

Looks like it does (I compared the 7.4.0 tarball to the fix at http://logwatch.svn.sourceforge.net/viewvc/logwatch/scripts/logwatch.pl?r1=3&r2=26&pathrev=26).

Arches, please test and mark stable:
=sys-apps/logwatch-7.4.0
Target keywords : "alpha amd64 arm hppa ppc ppc64 sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-03-23 11:40:59 UTC
synced now, there isn't it.

http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-apps/logwatch/
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-03-23 13:43:39 UTC
(In reply to comment #3)
> synced now, there isn't it.
> 
> http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-apps/logwatch/

Ugh, sorry for the spam.

(In reply to comment #1)
> How about this procedure:
> - Add logwatch 7.4.0 to the tree (bug #358807)
> - Mark 7.4.0 stable
> 

Sounds good to me!
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 20:03:57 UTC
CVE-2011-1018 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1018):
  logwatch.pl in Logwatch 7.3.6 allows remote attackers to execute arbitrary
  commands via shell metacharacters in a log file name, as demonstrated via a
  crafted username to a Samba server.
Comment 6 Sean Amoss gentoo-dev Security 2012-03-01 18:28:33 UTC
12 Nov 2011; Pawel Hajdan jr <phajdan.jr@gentoo.org> +logwatch-7.4.0.ebuild:
	  Version bump wrt bug #358807.

Ok, lets try this again :)

Arches, please test and mark stable:
=sys-apps/logwatch-7.4.0
Target keywords : "alpha amd64 arm hppa ppc ppc64 sparc x86"
Comment 7 Tobias Klausmann gentoo-dev 2012-03-02 13:43:44 UTC
Stable on alpha.
Comment 8 Agostino Sarubbo gentoo-dev 2012-03-02 15:02:21 UTC
amd64 stable
Comment 9 Jeroen Roovers gentoo-dev 2012-03-02 18:05:30 UTC
Stable for HPPA.
Comment 10 Brent Baude (RETIRED) gentoo-dev 2012-03-05 21:56:37 UTC
ppc done
Comment 11 Thomas Kahle (RETIRED) gentoo-dev 2012-03-07 11:10:31 UTC
x86 stable
Comment 12 Markus Meier gentoo-dev 2012-03-12 19:19:34 UTC
arm stable
Comment 13 Brent Baude (RETIRED) gentoo-dev 2012-03-16 18:18:07 UTC
ppc64 done
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2012-03-17 17:51:58 UTC
sparc stable
Comment 15 Sean Amoss gentoo-dev Security 2012-03-17 19:45:40 UTC
Thanks, everyone.

A GLSA request has already been filed and is ready for review.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2012-03-28 10:55:28 UTC
This issue was resolved and addressed in
 GLSA 201203-20 at http://security.gentoo.org/glsa/glsa-201203-20.xml
by GLSA coordinator Sean Amoss (ackle).