Red Hat Bugzilla – Bug 680787
logrotate: TOCTOU race condition by creating the compressed or copied log file (information disclosure)
Last modified: 2016-03-04 06:11:51 EST
A file access race condition (time-of-check, time-of-use, TOCTOU
race condition) was found in the way logrotate determines the
permissions to newly created files when compression or copying of a
log file has been requested. If the logrotate utility was run on a log
file contained within an attacker controllable directory, a local
attacker could use this flaw to trick the logrotate utility into
creating the compressed or copied file with user selected permissions,
potentially leading to disclosure of sensitive information.
Further clarified flaw information from Stefan Fritsch of Debian Security Team:
Both compressLogFile() and copyTruncate() are vulnerable to this
issue. Instead of using the permissions passed in sb, both functions
should call fstat() on the opened file.