A shell command injection flaw was found in the way the logrotate utility handled shred configuration directive (intended to ensure the log files are not readable after their scheduled deletion). A local attacker could use this flaw to execute arbitrary system commands (if the logrotate was run under privileged system user account, root) when the logrotate utility was run on a log file, within attacker controllable directory.
Created attachment 481342 [details] proposed patch Fixes mentioned bug by passing file descriptor as STDOUT to shred utility instead of passing filename. Any feedback is welcome.
Created attachment 481556 [details] proposed patch This patch also unlinks log file after shredding.
Created logrotate tracking bugs for this issue Affects: fedora-all [bug 688520]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0407 https://rhn.redhat.com/errata/RHSA-2011-0407.html
Statement: Not vulnerable. This issue did not affect the versions of logrotate as shipped with Red Hat Enterprise Linux 4 and 5, as they did not support 'shred' logrotate configuration directive yet.