Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 372973 (CVE-2011-1549) - <app-admin/logrotate-3.8.0: symlink attack (CVE-2011-1549)
Summary: <app-admin/logrotate-3.8.0: symlink attack (CVE-2011-1549)
Status: RESOLVED FIXED
Alias: CVE-2011-1549
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-25 12:41 UTC by GLSAMaker/CVETool Bot
Modified: 2012-06-25 19:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2011-06-25 12:41:20 UTC
CVE-2011-1549 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1549):
  The default configuration of logrotate on Gentoo Linux uses root privileges
  to process files in directories that permit non-root write access, which
  allows local users to conduct symlink and hard link attacks by leveraging
  logrotate's lack of support for untrusted directories, as demonstrated by
  directories under /var/log/ for packages.
Comment 1 Daniel Gryniewicz (RETIRED) gentoo-dev 2011-07-06 12:42:19 UTC
I believe this is not a bug.  I have verified that in the stages, /var/log is not writable by any user except root, so that particular link is incorrect; in addition, the relevant RedHat bug that seems to have caused this report was closed NotABug: https://bugzilla.redhat.com/show_bug.cgi?id=680799

If a user changes /var/log to be group or world writable, then they are at fault, not us.

I have also verified that a default logrotate install only rotates two files: /var/log/wtmp and /var/log/btmp

Am I missing something in one of the links?

(Sorry for the delay; I was on vacation until Jul 5.)
Comment 2 Daniel Gryniewicz (RETIRED) gentoo-dev 2011-07-06 22:45:37 UTC
Okay, apparently RedHat lied in their bugzilla.  3.8.0 has a fix for the issue behind this CVE, and 3.8.0 is in the tree now.  I still do not think that CVE is valid, but it's fixed regardless in 3.8.0
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-07-11 02:39:35 UTC
Thanks, Daniel. Can we move forward and stabilize 3.8.0?
Comment 4 Daniel Gryniewicz (RETIRED) gentoo-dev 2011-07-12 17:36:17 UTC
Not yet, there's still 374869
Comment 5 Daniel Gryniewicz (RETIRED) gentoo-dev 2011-07-21 16:25:22 UTC
Okay, I'm ready for 3.8.0 to go stable.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-08-02 15:49:25 UTC
(In reply to comment #5)
> Okay, I'm ready for 3.8.0 to go stable.

Great, thank you.

Arches, please test and mark stable:
=app-admin/logrotate-3.8.0
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 7 Agostino Sarubbo gentoo-dev 2011-08-02 18:58:54 UTC
amd64 ok.
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-08-03 11:26:06 UTC
ppc/ppc64 stable
Comment 9 Ian Delaney (RETIRED) gentoo-dev 2011-08-04 11:58:25 UTC
amd64 ok.
Comment 10 Markos Chandras (RETIRED) gentoo-dev 2011-08-04 14:49:39 UTC
amd64 done. Thanks Agostino and Ian
Comment 11 Jeff (JD) Horelick (RETIRED) gentoo-dev 2011-08-04 18:34:19 UTC
Archtested x86: ok.
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2011-08-05 00:26:50 UTC
Stable for HPPA.
Comment 13 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-08-06 03:32:56 UTC
x86 stable, thanks JD
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2011-08-07 17:31:34 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2011-08-17 15:32:21 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 16 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:25:54 UTC
Vote: YES. Added to pending GLSA request.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2012-06-25 19:23:29 UTC
This issue was resolved and addressed in
 GLSA 201206-36 at http://security.gentoo.org/glsa/glsa-201206-36.xml
by GLSA coordinator Stefan Behte (craig).