[Bug 1977689] Re: Wrong error msg: "state file /var/lib/logrotate/status is world-readable" although it is not
Alessandro Ratti
1977689 at bugs.launchpad.net
Mon Nov 28 10:17:55 UTC 2022
Hello,
I think this commit [1] (3.17.0) introduced a security problem to which it was assigned CVE-2022-1348 [2].
They fixed it in [3] (3.20.0) and [4] (3.20.1).
Although I see you've pulled from debian/sid the patched version, I don't think you have ever pushed those patches to jammy/devel.
May I request to release a package with the fix?
Thanks
[1]: https://github.com/logrotate/logrotate/commit/f46d0bdfc9c53515c13880c501f4d2e1e7dd8b25
[2]: https://github.com/advisories/GHSA-4c4j-w8hm-rjgv
[3]: https://github.com/logrotate/logrotate/commit/1f76a381e2caa0603ae3dbc51ed0f1aa0d6658b9
[4]: https://github.com/logrotate/logrotate/commit/addbd293242b0b78aa54f054e6c1d249451f137d
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1348
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to logrotate in Ubuntu.
https://bugs.launchpad.net/bugs/1977689
Title:
Wrong error msg: "state file /var/lib/logrotate/status is world-
readable" although it is not
Status in logrotate package in Ubuntu:
Confirmed
Bug description:
Ubuntu 22.04
logrotate 3.19.0-1ubuntu1.1
Every hour, I receive this wrong message:
Subject: Cron <root@<hostname>> cd / && run-parts --report /etc/cron.hourly
/etc/cron.hourly/logrotate:
error: state file /var/lib/logrotate/status is world-readable and thus can be locked from other unprivileged users. Skipping lock acquisition...
despite:
# ls -al /var/lib/logrotate
total 40
drwxr-x--- 2 root root 4096 Jun 5 17:17 .
drwxr-xr-x 66 root root 4096 Jun 3 20:02 ..
-rw-r----- 1 root root 31974 Jun 5 17:17 status
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/logrotate/+bug/1977689/+subscriptions
More information about the foundations-bugs
mailing list