Bug 680796 (CVE-2011-1154)

Summary: CVE-2011-1154 logrotate: Shell command injection by using the shred configuration directive
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jkaluza, jscotka, petr.uzel, vkrizan
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 14:03:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 688518, 688519, 688520    
Bug Blocks:    
Attachments:
Description Flags
proposed patch
none
proposed patch none

Description Jan Lieskovsky 2011-02-27 19:36:26 UTC 
A shell command injection flaw was found in the way the logrotate utility
handled shred configuration directive (intended to ensure the log files
are not readable after their scheduled deletion). A local attacker could
use this flaw to execute arbitrary system commands (if the logrotate
was run under privileged system user account, root) when the logrotate
utility was run on a log file, within attacker controllable directory.
Comment 1 Jan Kaluža 2011-02-28 10:06:10 UTC 
Created attachment 481342 [details]
proposed patch

Fixes mentioned bug by passing file descriptor as STDOUT to shred utility instead of passing filename. Any feedback is welcome.
Comment 5 Jan Kaluža 2011-03-01 08:41:31 UTC 
Created attachment 481556 [details]
proposed patch

This patch also unlinks log file after shredding.
Comment 7 Huzaifa S. Sidhpurwala 2011-03-17 09:58:06 UTC 
Created logrotate tracking bugs for this issue

Affects: fedora-all [bug 688520]
Comment 8 errata-xmlrpc 2011-03-31 15:16:32 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0407 https://rhn.redhat.com/errata/RHSA-2011-0407.html
Comment 9 Jan Lieskovsky 2011-03-31 15:34:14 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of logrotate as
shipped with Red Hat Enterprise Linux 4 and 5, as they did not support
'shred' logrotate configuration directive yet.