PublicDateAtUSN: 2011-03-30
Candidate: CVE-2011-1098
PublicDate: 2011-03-30 22:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1098
 http://openwall.com/lists/oss-security/2011/03/04/16
 https://ubuntu.com/security/notices/USN-1172-1
Description:
 Race condition in the createOutputFile function in logrotate.c in logrotate
 3.7.9 and earlier allows local users to read log data by opening a file
 before the intended permissions are in place.
Ubuntu-Description:
Notes:
 mdeslaur> this is issue #8
 mdeslaur> this seems to have been addressed in debian/ubuntu by the
 mdeslaur> create-388608.patch patch.
 mdeslaur> hardy doesn't have them (in (3.7.8-4))
Bugs:
 https://bugzilla.redhat.com/show_bug.cgi?id=680798
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS: 

Patches_logrotate:
upstream_logrotate: needs-triage
dapper_logrotate: ignored (reached end-of-life)
hardy_logrotate: released (3.7.1-3ubuntu0.8.04.1)
karmic_logrotate: ignored (reached end-of-life)
lucid_logrotate: not-affected (3.7.8-4ubuntu2.1)
maverick_logrotate: not-affected (3.7.8-6ubuntu1)
natty_logrotate: not-affected (3.7.8-6ubuntu3)
devel_logrotate: not-affected (3.7.8-6ubuntu3)