CVE-2022-1348

CVE-2022-1348

Name

CVE-2022-1348

Description

A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-1348
MLIST	http://www.openwall.com/lists/oss-security/2022/05/25/3
MLIST	http://www.openwall.com/lists/oss-security/2022/05/25/4
MLIST	http://www.openwall.com/lists/oss-security/2022/05/25/5
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZYEB4F37BY6GLEJKP2EPVAVQ6TA3HQKR/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7EHGYRE6DSFSBXQIWYDGTSXKO6IFSJQ/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZYEB4F37BY6GLEJKP2EPVAVQ6TA3HQKR/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y7EHGYRE6DSFSBXQIWYDGTSXKO6IFSJQ/

Type

URI

MISC

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-1348

MLIST

http://www.openwall.com/lists/oss-security/2022/05/25/3

MLIST

http://www.openwall.com/lists/oss-security/2022/05/25/4

MLIST

http://www.openwall.com/lists/oss-security/2022/05/25/5

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZYEB4F37BY6GLEJKP2EPVAVQ6TA3HQKR/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7EHGYRE6DSFSBXQIWYDGTSXKO6IFSJQ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZYEB4F37BY6GLEJKP2EPVAVQ6TA3HQKR/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y7EHGYRE6DSFSBXQIWYDGTSXKO6IFSJQ/

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:logrotate_project:logrotate::::::::`	logrotate	>= 3.17.0	< 3.20.0

CPE URI

Source package

Min version

Max version

cpe:2.3:a:logrotate_project:logrotate:*:*:*:*:*:*:*:*

logrotate

>= 3.17.0

< 3.20.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
logrotate	edge-main	3.20.1-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
logrotate	3.22-main	3.20.1-r0	None	fixed
logrotate	3.21-main	3.20.1-r0	None	fixed
logrotate	3.20-main	3.20.1-r0	None	fixed
logrotate	3.19-main	3.20.1-r0	None	fixed
logrotate	3.18-main	3.20.1-r0	None	fixed
logrotate	3.17-main	3.20.1-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

logrotate

edge-main

3.20.1-r0

Natanael Copa <ncopa@alpinelinux.org>

fixed

logrotate

3.22-main