File logrotate-CVE-2022-1348-follow-up.patch of Package logrotate.35787

From addbd293242b0b78aa54f054e6c1d249451f137d Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 25 May 2022 09:55:02 +0200
Subject: [PATCH] drop world-readable permission on state file

... even when ACLs are enabled.  This is a follow-up to the fix
of CVE-2022-1348.  It has no impact on security but makes the state
file locking work again in more cases.

Closes: https://github.com/logrotate/logrotate/pull/446
---
 logrotate.c       | 10 +++++++---
 test/test-0048.sh |  1 +
 2 files changed, 8 insertions(+), 3 deletions(-)

Index: logrotate-3.18.1/logrotate.c
===================================================================
--- logrotate-3.18.1.orig/logrotate.c
+++ logrotate-3.18.1/logrotate.c
@@ -2514,6 +2514,7 @@ static int writeState(const char *stateF
     struct tm now;
     time_t now_time, last_time;
     char *prevCtx;
+    int force_mode = 0;
 
     localtime_r(&nowSecs, &now);
 
@@ -2582,9 +2583,13 @@ static int writeState(const char *stateF
     close(fdcurr);
 
     /* drop world-readable flag to prevent others from locking */
-    sb.st_mode &= ~(mode_t)S_IROTH;
+    if (sb.st_mode & (mode_t)S_IROTH) {
+        /* drop world-readable flag to prevent others from locking */
+        sb.st_mode &= ~(mode_t)S_IROTH;
+        force_mode = 1;
+    }
 
-    fdsave = createOutputFile(tmpFilename, O_RDWR | O_CREAT | O_TRUNC, &sb, prev_acl, 0);
+    fdsave = createOutputFile(tmpFilename, O_RDWR | O_CREAT | O_TRUNC, &sb, prev_acl, force_mode);
 #ifdef WITH_ACL
     if (prev_acl) {
         acl_free(prev_acl);
Index: logrotate-3.18.1/test/test-0048.sh
===================================================================
--- logrotate-3.18.1.orig/test/test-0048.sh
+++ logrotate-3.18.1/test/test-0048.sh
@@ -18,6 +18,7 @@ cat > state << EOF
 logrotate state -- version 2
 EOF
 
+chmod 0640 state
 setfacl -m u:nobody:rwx state
 
 $RLR test-config.48