Overview

File _patchinfo of Package patchinfo.import4580

<patchinfo incident="logrotate" version="4580">
  <issue tracker="bnc" id="677336" />
  <issue tracker="bnc" id="679661" />
  <issue tracker="bnc" id="679662" />
  <issue tracker="CVE" id="CVE-2011-1154" />
  <issue tracker="CVE" id="CVE-2011-1155" />
  <issue tracker="CVE" id="CVE-2011-1098" />
  <category>security</category>
  <rating>low</rating>
  <summary>logrotate: Multiple security fixes</summary>
  <description>This update for logrotate provides the following fixes:

* The shred_file function in logrotate might allow
  context-dependent attackers to execute arbitrary commands
  via shell metacharacters in a log filename, as
  demonstrated by a filename that is automatically
  constructed on the basis of a hostname or virtual machine
  name (CVE-2011-1154) (bnc#679661)

* Race condition in the createOutputFile function in
  logrotate  allows local users to read log data by opening
  a file before the intended permissions are in place
  (CVE-2011-1098) (bnc#677336)

* The writeState function in logrotate might allow
  context-dependent attackers to cause a denial of service
  (rotation outage) via a (1) \n (newline) or (2) \
  (backslash) character in a log filename, as demonstrated
  by a filename that is automatically constructed on the
  basis of a hostname or virtual machine name
  (CVE-2011-1155) (bnc#679662)
</description>
  <packager>adrianSuSE</packager>
</patchinfo>
openSUSE Build Service is sponsored by
Places