Your submission was sent successfully! Close

CVE-2022-1348

Published: 25 May 2022

A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0.

Priority

Medium

CVSS 3 base score: 6.5

Status

Package Release Status
logrotate
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
impish
Released (3.18.0-2ubuntu1.1)
jammy
Released (3.19.0-1ubuntu1.1)
trusty Not vulnerable
(code not present)
upstream Needs triage

xenial Not vulnerable
(code not present)
Patches:
upstream: https://github.com/logrotate/logrotate/commit/1f76a381e2caa0603ae3dbc51ed0f1aa0d6658b9
upstream: https://github.com/logrotate/logrotate/pull/446

Notes

AuthorNote
amurray
Only affects logrotate >= 3.17.0
mdeslaur
Ubuntu packages build with:
--with-state-file-path=/var/lib/logrotate/status
but the /var/lib/logrotate directory itself is 755, so a
user can get a lock on the file.
See follow-up pull request with additional fix

References