Bug#1004580: bullseye-pu: package logrotate/3.18.0-2

To: Christian Göttsche <cgzones@googlemail.com>, 1004580@bugs.debian.org
Subject: Bug#1004580: bullseye-pu: package logrotate/3.18.0-2
From: Julien Cristau <jcristau@debian.org>
Date: Sat, 19 Mar 2022 18:15:21 +0100
Message-id: <[🔎] 20220319171521.GA8177@tomate.cristau.org>
Reply-to: Julien Cristau <jcristau@debian.org>, 1004580@bugs.debian.org
In-reply-to: <CAJ2a_DfX75SEfrthxNCDPDCHtDJ2ao2D_wCnLkK66LeZXeygoA@mail.gmail.com>
References: <CAJ2a_DfX75SEfrthxNCDPDCHtDJ2ao2D_wCnLkK66LeZXeygoA@mail.gmail.com> <CAJ2a_DfX75SEfrthxNCDPDCHtDJ2ao2D_wCnLkK66LeZXeygoA@mail.gmail.com>

On Sun, Jan 30, 2022 at 07:23:20PM +0100, Christian Göttsche wrote:
> [ Reason ]
> Logrotate does not reject invalid files as configuration files and
> tries to parse at least parts of them.
> Those files for example might be crafted coredumps, placed in
> /etc/logrotate.d/ via an unsafe core dump handler.
> Be more strict while parsing configuration files. See
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002022
>   https://github.com/logrotate/logrotate/pull/427
>   https://www.openwall.com/lists/oss-security/2021/10/20/2
> 
> Also include two other fixes, one using the correct stat information
> when verifying an olddir configuration after creating the olddir, the
> other advancing pointer in full_write on incomplete write to avoid
> data corruption.
> 
Go ahead, thanks.

Cheers,
Julien

Reply to:

Prev by Date: Processed: Re: Bug#1007792: nmu: fdroidcl_0.5.0-3+b3
Next by Date: Processed: tagging 1004580
Previous by thread: Processed: Re: Bug#1005252: buster-pu: package nvidia-settings/470.103.01-1~deb11u1
Next by thread: Processed: tagging 1004580
Index(es):
- Date
- Thread