Bug 21348

Summary: space in file name + compress option == big problem
Product: [Retired] Red Hat Linux Reporter: Patrick J. LoPresti <lopresti>
Component: logrotateAssignee: Erik Troan <ewt>
Status: CLOSED RAWHIDE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: abartlet, chris, dr, jarno.huuskonen, notting
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-01-02 23:54:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrick J. LoPresti 2000-11-26 14:58:39 UTC 
This is *not* a duplicate of bug 13122; it is a different (though related) 
problem.

logrotate-3.5.2 from Red Hat 7still* breaks when you have a space in a 
file name if you enable the "compress" option.

With you enable "compress", logrotate uses a shell, probably via system(), 
to invoke gzip.  This is very bad, because it can pass random characters 
to the shell (spaces, parens, whatever.)

Such random characters do appear in the names of Samba log files, because 
each log file name contains the NetBIOS name of the client Windows system.

This is almost certainly a security hole...  An administrator has no 
control over how Windows users name their machines, so he has no control 
over the log file names, so he has no control over the trash which 
logrotate passes to the shell.
Comment 1 Patrick J. LoPresti 2000-12-04 15:00:26 UTC 
This happens even without "compress"; we just got the following
via Email:

  errors occured while rotating /var/log/samba/log.* {

  sh: syntax error near unexpected token `(d'
  sh: -c: line 1: `/bin/sh /tmp/logrotf1a6AC /var/log/samba/log.my laptop
(dyn).1'
  error running postrotate script


Will this problem be fixed sooner if I can actually find a remote root exploit
based on it?
Comment 2 Preston Brown 2001-06-21 19:57:28 UTC 
Filenames are quoted in logrotate 3.5.6 and later.