Bug 21348 - space in file name + compress option == big problem
Summary: space in file name + compress option == big problem
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: logrotate   
(Show other bugs)
Version: 7.0
Hardware: i386 Linux
Target Milestone: ---
Assignee: Erik Troan
QA Contact: David Lawrence
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-11-26 14:58 UTC by Patrick J. LoPresti
Modified: 2007-04-18 16:30 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-01-02 23:54:31 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Patrick J. LoPresti 2000-11-26 14:58:39 UTC
This is *not* a duplicate of bug 13122; it is a different (though related) 

logrotate-3.5.2 from Red Hat 7still* breaks when you have a space in a 
file name if you enable the "compress" option.

With you enable "compress", logrotate uses a shell, probably via system(), 
to invoke gzip.  This is very bad, because it can pass random characters 
to the shell (spaces, parens, whatever.)

Such random characters do appear in the names of Samba log files, because 
each log file name contains the NetBIOS name of the client Windows system.

This is almost certainly a security hole...  An administrator has no 
control over how Windows users name their machines, so he has no control 
over the log file names, so he has no control over the trash which 
logrotate passes to the shell.

Comment 1 Patrick J. LoPresti 2000-12-04 15:00:26 UTC
This happens even without "compress"; we just got the following
via Email:

  errors occured while rotating /var/log/samba/log.* {

  sh: syntax error near unexpected token `(d'
  sh: -c: line 1: `/bin/sh /tmp/logrotf1a6AC /var/log/samba/log.my laptop
  error running postrotate script

Will this problem be fixed sooner if I can actually find a remote root exploit
based on it?

Comment 2 Preston Brown 2001-06-21 19:57:28 UTC
Filenames are quoted in logrotate 3.5.6 and later.

Note You need to log in before you can comment on or make changes to this bug.