[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

privilege escalation and potential data loss in logrotate


The short summary:

1. There is a privilege escalation vulnerability in stable's logrotate,
   verified to work for switching from the postgres user to root, probably
   affecting the system users of about 40 packages. A fix for this has
   been in testing for about a year now, the original bug report and a
   first patch have been in the bug tracker for about four years now.

2. The fix in testing introduces a regression that can cause loss of
   log messages where no such loss was possible before. A fix for this
   regression has been available to the maintainer and the security team
   for about a year now but has not been integrated so far.

Got your attention? Good, let me elaborate a bit:

First of all, it's bug #388608. Unfortunately, quite a bit of the
interesting communication was private, either with the maintainer, or
with the security team, or both, so I can't reference it in some public
location, and just pasting my own text fragments into this mail probably
would not be particularly enlightening either.

As far as the vulnerability is concerned, I guess the available
information at least is sufficient to get some clue as to what the
problem is and how serious it is.

Regarding the regression in the fix: With previous versions, it was
guaranteed that unless you used the copytruncate option, you would not
ever lose log messages due to rotation. With the fix, this guarantee
does not exist anymore in cases where the program writing to the log
file as well as logrotate may create the log file when it doesn't exist
(which is a common setup, and which cannot even be avoided in many

Now, the problem is that I don't really recall all the details anymore
either, and it would be some effort to get into it again. Given the
little success my efforts have had so far, I am not willing to put in
that work for potentially no gain. If you have any specific questions,
feel free to ask, I'll do my best to give you the information I have,
and if I see that this is actually going somewhere, maybe I'm even going
devote some more cycles to this again.

If I don't see any solution emerging in a reasonable time frame, my next
step would be a more-or-less mass filing against all those packages that
some rough analysis suggests are affected by either the vulnerability
or the regression so that their maintainers can take measures to work
around the problem if they want to.


Reply to: