Bug 680796 - (CVE-2011-1154) CVE-2011-1154 logrotate: Shell command injection by using the shred configuration directive
CVE-2011-1154 logrotate: Shell command injection by using the shred configura...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Reopened, Security
Depends On: 688518 688519 688520
  Show dependency treegraph
Reported: 2011-02-27 14:36 EST by Jan Lieskovsky
Modified: 2015-07-29 10:03 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-07-29 10:03:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
proposed patch (3.61 KB, patch)
2011-02-28 05:06 EST, Jan Kaluža
no flags Details | Diff
proposed patch (3.72 KB, patch)
2011-03-01 03:41 EST, Jan Kaluža
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2011-02-27 14:36:26 EST
A shell command injection flaw was found in the way the logrotate utility
handled shred configuration directive (intended to ensure the log files
are not readable after their scheduled deletion). A local attacker could
use this flaw to execute arbitrary system commands (if the logrotate
was run under privileged system user account, root) when the logrotate
utility was run on a log file, within attacker controllable directory.
Comment 1 Jan Kaluža 2011-02-28 05:06:10 EST
Created attachment 481342 [details]
proposed patch

Fixes mentioned bug by passing file descriptor as STDOUT to shred utility instead of passing filename. Any feedback is welcome.
Comment 5 Jan Kaluža 2011-03-01 03:41:31 EST
Created attachment 481556 [details]
proposed patch

This patch also unlinks log file after shredding.
Comment 7 Huzaifa S. Sidhpurwala 2011-03-17 05:58:06 EDT
Created logrotate tracking bugs for this issue

Affects: fedora-all [bug 688520]
Comment 8 errata-xmlrpc 2011-03-31 11:16:32 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0407 https://rhn.redhat.com/errata/RHSA-2011-0407.html
Comment 9 Jan Lieskovsky 2011-03-31 11:34:14 EDT

Not vulnerable. This issue did not affect the versions of logrotate as
shipped with Red Hat Enterprise Linux 4 and 5, as they did not support
'shred' logrotate configuration directive yet.

Note You need to log in before you can comment on or make changes to this bug.