|
|
Log in / Subscribe / Register

logrotate: multiple vulnerabilities

Package(s):logrotate CVE #(s):CVE-2011-1098 CVE-2011-1154 CVE-2011-1155
Created:March 31, 2011 Updated:June 26, 2012
Description:

From the Red Hat advisory:

A shell command injection flaw was found in the way logrotate handled the shred directive. A specially-crafted log file could cause logrotate to execute arbitrary commands with the privileges of the user running logrotate (root, by default). Note: The shred directive is not enabled by default. (CVE-2011-1154)

A race condition flaw was found in the way logrotate applied permissions when creating new log files. In some specific configurations, a local attacker could use this flaw to open new log files before logrotate applies the final permissions, possibly leading to the disclosure of sensitive information. (CVE-2011-1098)

An input sanitization flaw was found in logrotate. A log file with a specially-crafted file name could cause logrotate to abort when attempting to process that file a subsequent time. (CVE-2011-1155)

Alerts:
Gentoo 201206-36 logrotate 2012-06-25
Ubuntu USN-1172-1 logrotate 2011-07-21
Pardus 2011-85 logrotate 2011-06-21
SUSE SUSE-SR:2011:010 postfix, libthunarx-2-0, rdesktop, python, viewvc, kvm, exim, logrotate, dovecot12/dovecot20, pure-ftpd, kdelibs4 2011-05-31
openSUSE openSUSE-SU-2011:0536-1 logrotate 2011-05-25
Fedora FEDORA-2011-3739 logrotate 2011-03-21
Mandriva MDVSA-2011:065 logrotate 2011-04-05
Red Hat RHSA-2011:0407-01 logrotate 2011-03-31
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds