Bug#1004580: marked as done (bullseye-pu: package logrotate/3.18.0-2)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 09 Jul 2022 11:47:43 +0100
with message-id <2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 11.4
has caused the Debian Bug report #1004580,
regarding bullseye-pu: package logrotate/3.18.0-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1004580: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004580
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: bullseye-pu: package logrotate/3.18.0-2
• From: Christian Göttsche <cgzones@googlemail.com>
• Date: Sun, 30 Jan 2022 19:23:20 +0100
• Message-id: <CAJ2a_DfX75SEfrthxNCDPDCHtDJ2ao2D_wCnLkK66LeZXeygoA@mail.gmail.com>

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: bullseye
X-Debbugs-Cc: cgzones@googlemail.com
Severity: normal

[ Reason ]
Logrotate does not reject invalid files as configuration files and
tries to parse at least parts of them.
Those files for example might be crafted coredumps, placed in
/etc/logrotate.d/ via an unsafe core dump handler.
Be more strict while parsing configuration files. See
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002022
  https://github.com/logrotate/logrotate/pull/427
  https://www.openwall.com/lists/oss-security/2021/10/20/2

Also include two other fixes, one using the correct stat information
when verifying an olddir configuration after creating the olddir, the
other advancing pointer in full_write on incomplete write to avoid
data corruption.

[ Impact ]
With an unsafe coredump handler logrotate can be used in an exploit
chain to execute arbitrary code.
Since logrotate is not the main culprit, there might still be alternatives.

[ Tests ]
The changes are all part of the recent logrotate release 3.19.0.

[ Risks ]
Since the configuration parser gets much stricter previously accepted,
but unsharp, files may become invalid, leading to logrotate not
rotating the files related to that section.
A failure of logrotate is handled by systemd by setting the service
state to "failed" and the system status to "degraded". Cron might send
an email with the command output.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable (everything is
included in 3.19.0-1)

Attachment: logrotate-3.18.0-2+deb11u1.debdiff
Description: Binary data

--- End Message ---

--- Begin Message ---

• To: 1000355-done@bugs.debian.org, 1003261-done@bugs.debian.org, 1003713-done@bugs.debian.org, 1004459-done@bugs.debian.org, 1004580-done@bugs.debian.org, 1005129-done@bugs.debian.org, 1005135-done@bugs.debian.org, 1005231-done@bugs.debian.org, 1005237-done@bugs.debian.org, 1005252-done@bugs.debian.org, 1005256-done@bugs.debian.org, 1006316-done@bugs.debian.org, 1006504-done@bugs.debian.org, 1007714-done@bugs.debian.org, 1007762-done@bugs.debian.org, 1008045-done@bugs.debian.org, 1008153-done@bugs.debian.org, 1008161-done@bugs.debian.org, 1008162-done@bugs.debian.org, 1008166-done@bugs.debian.org, 1008168-done@bugs.debian.org, 1008268-done@bugs.debian.org, 1008577-done@bugs.debian.org, 1009077-done@bugs.debian.org, 1009250-done@bugs.debian.org, 1009345-done@bugs.debian.org, 1009363-done@bugs.debian.org, 1009726-done@bugs.debian.org, 1010037-done@bugs.debian.org, 1010050-done@bugs.debian.org, 1010058-done@bugs.debian.org, 1010194-done@bugs.debian.org, 1010211-done@bugs.debian.org, 1010304-done@bugs.debian.org, 1010383-done@bugs.debian.org, 1010439-done@bugs.debian.org, 1010613-done@bugs.debian.org, 1010857-done@bugs.debian.org, 1010924-done@bugs.debian.org, 1010963-done@bugs.debian.org, 1011022-done@bugs.debian.org, 1011198-done@bugs.debian.org, 1011271-done@bugs.debian.org, 1011287-done@bugs.debian.org, 1011331-done@bugs.debian.org, 1011359-done@bugs.debian.org, 1011365-done@bugs.debian.org, 1011426-done@bugs.debian.org, 1011746-done@bugs.debian.org, 1011939-done@bugs.debian.org, 1011942-done@bugs.debian.org, 1012033-done@bugs.debian.org, 1012047-done@bugs.debian.org, 1012140-done@bugs.debian.org, 1012322-done@bugs.debian.org, 1012323-done@bugs.debian.org, 1012331-done@bugs.debian.org, 1012553-done@bugs.debian.org, 1012585-done@bugs.debian.org, 1012723-done@bugs.debian.org, 1013237-done@bugs.debian.org, 1013306-done@bugs.debian.org, 1013418-done@bugs.debian.org, 1013755-done@bugs.debian.org, 1013879-done@bugs.debian.org, 1013880-done@bugs.debian.org, 1013944-done@bugs.debian.org, 1014014-done@bugs.debian.org, 1014054-done@bugs.debian.org, 1014079-done@bugs.debian.org, 1014199-done@bugs.debian.org, 1014206-done@bugs.debian.org, 1014221-done@bugs.debian.org
• Subject: Closing requests for updates included in 11.4
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 09 Jul 2022 11:47:43 +0100
• Message-id: <2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.camel@adam-barratt.org.uk>

Package: release.debian.org
Version: 11.4

(re-sending with fixed bug numbers)

Hi,

The updates discussed in these bugs were included in today's bullseye
point release.

Regards,

Adam

--- End Message ---