Bug 81145 - Log message treated as a regexp???
Log message treated as a regexp???
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: logwatch (Show other bugs)
8.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Elliot Lee
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-01-05 23:41 EST by Aleksey Nogin
Modified: 2007-04-18 12:49 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-07-10 09:43:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Demonstrates problem in logwatch 'secure' script regexp (801 bytes, text/plain)
2003-03-07 17:02 EST, Stephen Walton
no flags Details

  None (edit)
Description Aleksey Nogin 2003-01-05 23:41:40 EST
Some time ago I've received the following message from logwatch:

 ################## LogWatch 2.6 Begin ##################### 

Nested quantifiers in regex; marked by <-- HERE in m/sudo:  aleksey : TTY=tty1 ;
PWD=/home/aleksey ; USER=root ; COMMAND=/bin/rpm -e compat-libstdc++ <-- HERE /
at /etc/log.d/scripts/services/secure line 88, <STDIN> line 43.


 ###################### LogWatch End ######################### 

Which means that somehow logwatch managed to interpret the *user* input as a
regexp! Can this be a security issue?
Comment 1 Elliot Lee 2003-02-19 18:04:11 EST
Can you try the logwatch 4.3.1 in rawhide and see if it has this issue? I can't
see any lines in 4.3.1 in the script mentioned that would fit the description.
Comment 2 Stephen Walton 2003-03-07 17:02:02 EST
Created attachment 90521 [details]
Demonstrates problem in logwatch 'secure' script regexp

Running this script creates and executes a Perl program called 'bugdemo.pl' in
the current directory.
Comment 3 Stephen Walton 2003-03-07 17:04:37 EST
My comment to my demo got lost:  the problem arises when a line in
/var/log/secure contains the string ++, as it does for the original poster, and
did for me, when an 'sudo' command is executed to manipulate a C++ library.  My
attachment demonstrates the problem but I'm not enough of a Perl hacker to
figure out a patch.

I don't think this should be marked CLOSED but I can't change the status.
Comment 4 Elliot Lee 2003-07-10 09:43:16 EDT
4.3.2 has this problem fixed, and probably 4.3.1.
Comment 5 Stephen Walton 2003-07-10 13:58:07 EDT
Fair enough, but the original bug was against RH 8.0, and the latest version of
logwatch released for 8.0 seems to be the one on the original release, 2.6-8. 
4.3.1-2 is on my RH9 systems, though.  I did "rpm -U --test" on an RH8.0 system
against the logwatch 4.3.1-2 RPM shipped with RH9 and got no errors;  would it
be safe to install it?


Note You need to log in before you can comment on or make changes to this bug.