A file access race condition (time-of-check, time-of-use, TOCTOU race condition) was found in the way logrotate utility created the log files after rotation, when their immediate creation ("create" configuration option) was requested. A local attacker could use this flaw to change file owner or mode on arbitrary system files to the file owner and mode specified in logrotate's configuration. (if the logrotate utility was run under privileged user, root, and logrotate was run on an attacker controllable directory).
Clarified flaw details from Stefan Fritsch of Debian Security Team: =================================================================== Here the race condition is between the rename 950 if (!debug && rename(oldName, newName)) { and the creation of the new file at 1117 fd = createOutputFile(log->files[logNum], O_CREAT | O_RDWR, &sb); If an attacker can link a file into place in that race period, the permissions of that file will be changed. It is not necessary for the attacker to have write or chmod permissions on the log file. The fix is to use O_EXCL.