A security flaw was found in the way logwatch, a log file analysis program, pre-processed log files, containing certain special characters in their names. A remote attacker could use this flaw to execute arbitrary code with the privileges of the privileged system user (root) by creating a specially-crafted log file, subsequently analyzed by the logwatch script. Upstream bug report: [1] http://sourceforge.net/tracker/?func=detail&aid=3184223&group_id=312875&atid=1316824 Related patch: [2] http://logwatch.svn.sourceforge.net/viewvc/logwatch?view=revision&revision=26 Other references: [3] http://sourceforge.net/mailarchive/forum.php?thread_name=4D604843.7040303%40mblmail.net&forum_name=logwatch-devel
This issue affects the versions of the logwatch package, as shipped with Red Hat Enterprise Linux 5, and 6. -- This issue affects the versions of the logwatch package, as shipped with Fedora release of 13 and 14.
CVE Request: [4] http://www.openwall.com/lists/oss-security/2011/02/24/13
Created logwatch tracking bugs for this issue Affects: fedora-all [bug 680253]
RHEL4 is not affected. The way that version of logwatch cats log files together offloads the shell expansion to the shell. It's not terribly safe looking in code, but it works. You end up with things like `cat /var/log/httpd/* > output` The wildcard is passed to the shell unexpanded. From what I see, it's not getting expanded when logwatch is run.
The upstream patch appears to work. Outside using system, it appears to do it in a fairly safe manner now. I don't like using system() for this sort of thing, but that's likely outside the scope of this fix.
Should we expect updates for Red Hat Enterprise Linux 5, and 6 ?
Updates are in progress. Once they've passed all of our internal testing, we will release updates. Thanks.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2011:0324 https://rhn.redhat.com/errata/RHSA-2011-0324.html