A shell command injection flaw was found in the way the logrotate utility
handled shred configuration directive (intended to ensure the log files
are not readable after their scheduled deletion). A local attacker could
use this flaw to execute arbitrary system commands (if the logrotate
was run under privileged system user account, root) when the logrotate
utility was run on a log file, within attacker controllable directory.
Created attachment 481342 [details]
Fixes mentioned bug by passing file descriptor as STDOUT to shred utility instead of passing filename. Any feedback is welcome.
Created attachment 481556 [details]
This patch also unlinks log file after shredding.
Created logrotate tracking bugs for this issue
Affects: fedora-all [bug 688520]
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2011:0407 https://rhn.redhat.com/errata/RHSA-2011-0407.html
Not vulnerable. This issue did not affect the versions of logrotate as
shipped with Red Hat Enterprise Linux 4 and 5, as they did not support
'shred' logrotate configuration directive yet.