Some time ago I've received the following message from logwatch: ################## LogWatch 2.6 Begin ##################### Nested quantifiers in regex; marked by <-- HERE in m/sudo: aleksey : TTY=tty1 ; PWD=/home/aleksey ; USER=root ; COMMAND=/bin/rpm -e compat-libstdc++ <-- HERE / at /etc/log.d/scripts/services/secure line 88, <STDIN> line 43. ###################### LogWatch End ######################### Which means that somehow logwatch managed to interpret the *user* input as a regexp! Can this be a security issue?
Can you try the logwatch 4.3.1 in rawhide and see if it has this issue? I can't see any lines in 4.3.1 in the script mentioned that would fit the description.
Created attachment 90521 [details] Demonstrates problem in logwatch 'secure' script regexp Running this script creates and executes a Perl program called 'bugdemo.pl' in the current directory.
My comment to my demo got lost: the problem arises when a line in /var/log/secure contains the string ++, as it does for the original poster, and did for me, when an 'sudo' command is executed to manipulate a C++ library. My attachment demonstrates the problem but I'm not enough of a Perl hacker to figure out a patch. I don't think this should be marked CLOSED but I can't change the status.
4.3.2 has this problem fixed, and probably 4.3.1.
Fair enough, but the original bug was against RH 8.0, and the latest version of logwatch released for 8.0 seems to be the one on the original release, 2.6-8. 4.3.1-2 is on my RH9 systems, though. I did "rpm -U --test" on an RH8.0 system against the logwatch 4.3.1-2 RPM shipped with RH9 and got no errors; would it be safe to install it?