StarlingX

[Debian] Medium CVE: CVE-2022-1348: logrotate: allowing an unprivileged user to lock the state file

Bug #2021473 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
ZhangXiao

Bug Description

CVE-2022-1348: https://nvd.nist.gov/vuln/detail/CVE-2022-1348

A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0.

Base Score: Medium

References:

https://security-tracker.debian.org/tracker/CVE-2022-1348

['logrotate_3.18.0-2_amd64.deb===>logrotate_3.18.0-2+deb11u1_amd64.deb']

CVE References

ZhangXiao (zhangxiao-windriver)
Changed in starlingx:
assignee: nobody → ZhangXiao (zhangxiao-windriver)
Revision history for this message
Ghada Khalil (gkhalil) wrote :

Fixed by https://review.opendev.org/c/starlingx/tools/+/886902 which merged on June 26.

Changed in starlingx:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.