The default configuration of logrotate on Gentoo Linux uses root privileges
to process files in directories that permit non-root write access, which
allows local users to conduct symlink and hard link attacks by leveraging
logrotate's lack of support for untrusted directories, as demonstrated by
directories under /var/log/ for packages.
I believe this is not a bug. I have verified that in the stages, /var/log is not writable by any user except root, so that particular link is incorrect; in addition, the relevant RedHat bug that seems to have caused this report was closed NotABug: https://bugzilla.redhat.com/show_bug.cgi?id=680799
If a user changes /var/log to be group or world writable, then they are at fault, not us.
I have also verified that a default logrotate install only rotates two files: /var/log/wtmp and /var/log/btmp
Am I missing something in one of the links?
(Sorry for the delay; I was on vacation until Jul 5.)
Okay, apparently RedHat lied in their bugzilla. 3.8.0 has a fix for the issue behind this CVE, and 3.8.0 is in the tree now. I still do not think that CVE is valid, but it's fixed regardless in 3.8.0
Thanks, Daniel. Can we move forward and stabilize 3.8.0?
Not yet, there's still 374869
Okay, I'm ready for 3.8.0 to go stable.
(In reply to comment #5)
> Okay, I'm ready for 3.8.0 to go stable.
Great, thank you.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
amd64 done. Thanks Agostino and Ian
Archtested x86: ok.
Stable for HPPA.
x86 stable, thanks JD
Thanks, everyone. GLSA Vote: yes.
Vote: YES. Added to pending GLSA request.
This issue was resolved and addressed in
GLSA 201206-36 at http://security.gentoo.org/glsa/glsa-201206-36.xml
by GLSA coordinator Stefan Behte (craig).