[Debian] Medium CVE: CVE-2022-1348: logrotate: allowing an unprivileged user to lock the state file
Bug #2021473 reported by
Yue Tao
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
ZhangXiao |
Bug Description
CVE-2022-1348: https:/
A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0.
Base Score: Medium
References:
https:/
['logrotate_
CVE References
Changed in starlingx: | |
assignee: | nobody → ZhangXiao (zhangxiao-windriver) |
To post a comment you must log in.
Fixed by https:/ /review. opendev. org/c/starlingx /tools/ +/886902 which merged on June 26.