Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package logrotate for openSUSE:Factory checked in at 2022-05-26 18:44:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/logrotate (Old) and /work/SRC/openSUSE:Factory/.logrotate.new.2254 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "logrotate" Thu May 26 18:44:00 2022 rev:72 rq:979299 version:3.20.1 Changes: -------- --- /work/SRC/openSUSE:Factory/logrotate/logrotate.changes 2022-03-11 21:40:03.098017666 +0100 +++ /work/SRC/openSUSE:Factory/.logrotate.new.2254/logrotate.changes 2022-05-26 18:44:07.449182450 +0200 @@ -1,0 +2,26 @@ +Wed May 25 20:06:20 UTC 2022 - Michael Str??der <[email protected]> + +- update to 3.20.1: + * drop world-readable permission on state file even when ACLs are enabled (#446) +- removed obsolete logrotate-CVE-2022-1348-follow-up.patch + +------------------------------------------------------------------- +Wed May 25 15:31:32 UTC 2022 - David Anes <[email protected]> + +- Security fix: (bsc#1199652, CVE-2022-1348) + * Add follow-up upstream patch for the introduced fix. + * Added patch logrotate-CVE-2022-1348-follow-up.patch + +- Update patch: + * logrotate-3.19.0-man_logrotate.patch -> logrotate-3.20.0-man_logrotate.patch + +------------------------------------------------------------------- +Wed May 25 13:34:17 UTC 2022 - Michael Str??der <[email protected]> + +- update to 3.20.0: + * fix potential DoS from unprivileged users via the state file (CVE-2022-1348) + * fix a misleading debug message with copytruncate and rotate 0 (#443) + * add support for unsigned time_t (#438) + * do not lock state file /dev/null (#433) + +------------------------------------------------------------------- Old: ---- logrotate-3.19.0-man_logrotate.patch logrotate-3.19.0.tar.xz logrotate-3.19.0.tar.xz.asc New: ---- logrotate-3.20.0-man_logrotate.patch logrotate-3.20.1.tar.xz logrotate-3.20.1.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ logrotate.spec ++++++ --- /var/tmp/diff_new_pack.BaUBfJ/_old 2022-05-26 18:44:08.073183178 +0200 +++ /var/tmp/diff_new_pack.BaUBfJ/_new 2022-05-26 18:44:08.077183182 +0200 @@ -19,7 +19,7 @@ %{!?_distconfdir: %global _distconfdir %{_prefix}%{_sysconfdir}} Name: logrotate -Version: 3.19.0 +Version: 3.20.1 Release: 0 Summary: Cron service for rotating, compressing, mailing and removing system log files License: GPL-2.0-or-later @@ -32,8 +32,9 @@ Source3: logrotate.service Source10: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz.asc Source100: %{name}-rpmlintrc -Patch0: logrotate-3.19.0-man_logrotate.patch +Patch0: logrotate-3.20.0-man_logrotate.patch BuildRequires: acl +BuildRequires: automake BuildRequires: libacl-devel BuildRequires: pkgconfig BuildRequires: pkgconfig(libselinux) @@ -52,9 +53,10 @@ %prep %setup -q -%patch0 -p1 +%autopatch -p1 %build +autoreconf -f -i %configure \ --disable-silent-rules \ --with-state-file-path=%{_localstatedir}/lib/misc/logrotate.status \ ++++++ logrotate-3.19.0-man_logrotate.patch -> logrotate-3.20.0-man_logrotate.patch ++++++ --- /work/SRC/openSUSE:Factory/logrotate/logrotate-3.19.0-man_logrotate.patch 2022-03-11 21:40:03.078017652 +0100 +++ /work/SRC/openSUSE:Factory/.logrotate.new.2254/logrotate-3.20.0-man_logrotate.patch 2022-05-26 18:44:07.293182268 +0200 @@ -1,6 +1,6 @@ -diff -Naur logrotate-3.19.0.orig/logrotate.8.in logrotate-3.19.0/logrotate.8.in ---- logrotate-3.19.0.orig/logrotate.8.in 2022-02-24 11:18:24.202811846 +0100 -+++ logrotate-3.19.0/logrotate.8.in 2022-02-24 11:28:25.137690351 +0100 +diff -ur logrotate-3.20.0.orig/logrotate.8.in logrotate-3.20.0/logrotate.8.in +--- logrotate-3.20.0.orig/logrotate.8.in 2022-03-31 14:00:36.000000000 +0200 ++++ logrotate-3.20.0/logrotate.8.in 2022-05-25 15:40:21.015424608 +0200 @@ -48,6 +48,17 @@ is given on the command line, every file in that directory is used as a config file. @@ -19,15 +19,6 @@ If no command line arguments are given, \fBlogrotate\fR will print version and copyright information, along with a short usage summary. If any errors occur while rotating logs, \fBlogrotate\fR will exit with -@@ -76,7 +87,7 @@ - acquires a lock on the state file, if it cannot be acquired \fBlogrotate\fR - will exit with value 3. The default state file is \fI@STATE_FILE_PATH@\fR. - If \fI/dev/null\fR is given as the state file, then \fBlogrotate\fR will --not try to write the state file. -+not try to lock or write the state file. - - .TP - \fB\-\-skip-state-lock\fR @@ -752,7 +763,8 @@ tab(:); l l l. ++++++ logrotate-3.19.0.tar.xz -> logrotate-3.20.1.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/.tarball-version new/logrotate-3.20.1/.tarball-version --- old/logrotate-3.19.0/.tarball-version 2022-01-07 10:04:13.000000000 +0100 +++ new/logrotate-3.20.1/.tarball-version 2022-05-25 17:28:25.000000000 +0200 @@ -1 +1 @@ -3.19.0 +3.20.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/.version new/logrotate-3.20.1/.version --- old/logrotate-3.19.0/.version 2022-01-07 10:04:13.000000000 +0100 +++ new/logrotate-3.20.1/.version 2022-05-25 17:28:25.000000000 +0200 @@ -1 +1 @@ -3.19.0 +3.20.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/ChangeLog.md new/logrotate-3.20.1/ChangeLog.md --- old/logrotate-3.19.0/ChangeLog.md 2022-01-07 09:59:12.000000000 +0100 +++ new/logrotate-3.20.1/ChangeLog.md 2022-05-25 17:22:59.000000000 +0200 @@ -4,7 +4,22 @@ ## [UNRELEASED] -[UNRELEASED]: https://github.com/logrotate/logrotate/compare/3.19.0...master +[UNRELEASED]: https://github.com/logrotate/logrotate/compare/3.20.1...master + +## [3.20.1] - 2022-05-25 + - drop world-readable permission on state file even when ACLs are enabled (#446) + +[3.20.1]: https://github.com/logrotate/logrotate/compare/3.20.0...3.20.1 + +## [3.20.0] - 2022-05-25 + - fix potential DoS from unprivileged users via the state file ([CVE-2022-1348]) + - fix a misleading debug message with `copytruncate` and `rotate 0` (#443) + - add support for unsigned `time_t` (#438) + - do not lock state file `/dev/null` (#433) + +[CVE-2022-1348]: https://bugzilla.redhat.com/CVE-2022-1348 + +[3.20.0]: https://github.com/logrotate/logrotate/compare/3.19.0...3.20.0 ## [3.19.0] - 2022-01-07 - continue on `EINTR` in `compressLogFile()` (#430) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/Makefile.in new/logrotate-3.20.1/Makefile.in --- old/logrotate-3.19.0/Makefile.in 2022-01-07 10:04:07.000000000 +0100 +++ new/logrotate-3.20.1/Makefile.in 2022-05-25 17:28:14.000000000 +0200 @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.16.4 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2021 Free Software Foundation, Inc. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/README.md new/logrotate-3.20.1/README.md --- old/logrotate-3.19.0/README.md 2022-01-07 09:32:42.000000000 +0100 +++ new/logrotate-3.20.1/README.md 2022-05-25 17:21:10.000000000 +0200 @@ -6,10 +6,12 @@ The latest release is: -* [logrotate-3.19.0](https://github.com/logrotate/logrotate/releases/download/3.19.0/logrotate-3.19.0.tar.xz) ([sig](https://github.com/logrotate/logrotate/releases/download/3.19.0/logrotate-3.19.0.tar.xz.asc)) ([Changelog](https://github.com/logrotate/logrotate/releases/tag/3.19.0)) +* [logrotate-3.20.1](https://github.com/logrotate/logrotate/releases/download/3.20.1/logrotate-3.20.1.tar.xz) ([sig](https://github.com/logrotate/logrotate/releases/download/3.20.1/logrotate-3.20.1.tar.xz.asc)) ([Changelog](https://github.com/logrotate/logrotate/releases/tag/3.20.1)) Previous releases: +* [logrotate-3.20.0](https://github.com/logrotate/logrotate/releases/download/3.20.0/logrotate-3.20.0.tar.xz) ([sig](https://github.com/logrotate/logrotate/releases/download/3.20.0/logrotate-3.20.0.tar.xz.asc)) ([Changelog](https://github.com/logrotate/logrotate/releases/tag/3.20.0)) +* [logrotate-3.19.0](https://github.com/logrotate/logrotate/releases/download/3.19.0/logrotate-3.19.0.tar.xz) ([sig](https://github.com/logrotate/logrotate/releases/download/3.19.0/logrotate-3.19.0.tar.xz.asc)) ([Changelog](https://github.com/logrotate/logrotate/releases/tag/3.19.0)) * [logrotate-3.18.1](https://github.com/logrotate/logrotate/releases/download/3.18.1/logrotate-3.18.1.tar.xz) ([sig](https://github.com/logrotate/logrotate/releases/download/3.18.1/logrotate-3.18.1.tar.xz.asc)) ([Changelog](https://github.com/logrotate/logrotate/releases/tag/3.18.1)) * [logrotate-3.18.0](https://github.com/logrotate/logrotate/releases/download/3.18.0/logrotate-3.18.0.tar.xz) ([sig](https://github.com/logrotate/logrotate/releases/download/3.18.0/logrotate-3.18.0.tar.xz.asc)) ([Changelog](https://github.com/logrotate/logrotate/releases/tag/3.18.0)) * [logrotate-3.17.0](https://github.com/logrotate/logrotate/releases/download/3.17.0/logrotate-3.17.0.tar.xz) ([sig](https://github.com/logrotate/logrotate/releases/download/3.17.0/logrotate-3.17.0.tar.xz.asc)) ([Changelog](https://github.com/logrotate/logrotate/releases/tag/3.17.0)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/aclocal.m4 new/logrotate-3.20.1/aclocal.m4 --- old/logrotate-3.19.0/aclocal.m4 2022-01-07 10:04:06.000000000 +0100 +++ new/logrotate-3.20.1/aclocal.m4 2022-05-25 17:28:14.000000000 +0200 @@ -1,4 +1,4 @@ -# generated automatically by aclocal 1.16.4 -*- Autoconf -*- +# generated automatically by aclocal 1.16.5 -*- Autoconf -*- # Copyright (C) 1996-2021 Free Software Foundation, Inc. @@ -35,7 +35,7 @@ [am__api_version='1.16' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.16.4], [], +m4_if([$1], [1.16.5], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -51,7 +51,7 @@ # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.16.4])dnl +[AM_AUTOMAKE_VERSION([1.16.5])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) @@ -428,6 +428,10 @@ # release and drop the old call support. AC_DEFUN([AM_INIT_AUTOMAKE], [AC_PREREQ([2.65])dnl +m4_ifdef([_$0_ALREADY_INIT], + [m4_fatal([$0 expanded multiple times +]m4_defn([_$0_ALREADY_INIT]))], + [m4_define([_$0_ALREADY_INIT], m4_expansion_stack)])dnl dnl Autoconf wants to disallow AM_ names. We explicitly allow dnl the ones we care about. m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/config.c new/logrotate-3.20.1/config.c --- old/logrotate-3.19.0/config.c 2022-01-06 17:11:00.000000000 +0100 +++ new/logrotate-3.20.1/config.c 2022-05-24 17:20:14.000000000 +0200 @@ -123,7 +123,7 @@ STATE_ERROR = 64, }; -static const char *defTabooExts[] = { +static const char *const defTabooExts[] = { ",v", ".bak", ".cfsaved", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/configure new/logrotate-3.20.1/configure --- old/logrotate-3.19.0/configure 2022-01-07 10:04:06.000000000 +0100 +++ new/logrotate-3.20.1/configure 2022-05-25 17:28:14.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for logrotate 3.19.0. +# Generated by GNU Autoconf 2.71 for logrotate 3.20.1. # # # Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation, @@ -607,8 +607,8 @@ # Identity of this package. PACKAGE_NAME='logrotate' PACKAGE_TARNAME='logrotate' -PACKAGE_VERSION='3.19.0' -PACKAGE_STRING='logrotate 3.19.0' +PACKAGE_VERSION='3.20.1' +PACKAGE_STRING='logrotate 3.20.1' PACKAGE_BUGREPORT='' PACKAGE_URL='https://github.com/logrotate/logrotate' @@ -1320,7 +1320,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures logrotate 3.19.0 to adapt to many kinds of systems. +\`configure' configures logrotate 3.20.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1391,7 +1391,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of logrotate 3.19.0:";; + short | recursive ) echo "Configuration of logrotate 3.20.1:";; esac cat <<\_ACEOF @@ -1504,7 +1504,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -logrotate configure 3.19.0 +logrotate configure 3.20.1 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -1839,7 +1839,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by logrotate $as_me 3.19.0, which was +It was created by logrotate $as_me 3.20.1, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3111,7 +3111,7 @@ # Define the identity of the package. PACKAGE='logrotate' - VERSION='3.19.0' + VERSION='3.20.1' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -6931,7 +6931,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by logrotate $as_me 3.19.0, which was +This file was extended by logrotate $as_me 3.20.1, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -7000,7 +7000,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -logrotate config.status 3.19.0 +logrotate config.status 3.20.1 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/logrotate.8 new/logrotate-3.20.1/logrotate.8 --- old/logrotate-3.19.0/logrotate.8 2022-01-07 10:04:10.000000000 +0100 +++ new/logrotate-3.20.1/logrotate.8 2022-05-25 17:28:20.000000000 +0200 @@ -1,4 +1,4 @@ -.TH LOGROTATE 8 "3.19.0" "Linux" "System Administrator's Manual" +.TH LOGROTATE 8 "3.20.1" "Linux" "System Administrator's Manual" .\" Per groff_man(7), the TQ macro should be copied from an-ext.tmac when .\" not running under groff. That's not quite right; not all groff .\" installations include this macro. So bring it in with another name @@ -76,7 +76,7 @@ acquires a lock on the state file, if it cannot be acquired \fBlogrotate\fR will exit with value 3. The default state file is \fI/var/lib/logrotate.status\fR. If \fI/dev/null\fR is given as the state file, then \fBlogrotate\fR will -not try to write the state file. +not try to lock or write the state file. .TP \fB\-\-skip-state-lock\fR diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/logrotate.8.in new/logrotate-3.20.1/logrotate.8.in --- old/logrotate-3.19.0/logrotate.8.in 2021-10-06 16:06:15.000000000 +0200 +++ new/logrotate-3.20.1/logrotate.8.in 2022-03-31 14:00:36.000000000 +0200 @@ -76,7 +76,7 @@ acquires a lock on the state file, if it cannot be acquired \fBlogrotate\fR will exit with value 3. The default state file is \fI@STATE_FILE_PATH@\fR. If \fI/dev/null\fR is given as the state file, then \fBlogrotate\fR will -not try to write the state file. +not try to lock or write the state file. .TP \fB\-\-skip-state-lock\fR diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/logrotate.c new/logrotate-3.20.1/logrotate.c --- old/logrotate-3.19.0/logrotate.c 2022-01-06 17:31:39.000000000 +0100 +++ new/logrotate-3.20.1/logrotate.c 2022-05-25 17:19:45.000000000 +0200 @@ -1248,7 +1248,7 @@ int rc = 1; int fdcurr = -1, fdsave = -1; - message(MESS_DEBUG, "copying %s to %s\n", currLog, saveLog); + message(MESS_DEBUG, "%scopying %s to %s\n", skip_copy ? "skip " : "", currLog, saveLog); if (!debug) { /* read access is sufficient for 'copy' but not for 'copytruncate' */ @@ -1338,10 +1338,10 @@ } /* return by how many days the date was advanced but ignore exact time */ -static time_t daysElapsed(const struct tm *now, const struct tm *last) +static long daysElapsed(const struct tm *now, const struct tm *last) { - const time_t diff = mktimeFromDateOnly(now) - mktimeFromDateOnly(last); - return diff / (24 * 3600); + const double diff = difftime(mktimeFromDateOnly(now),mktimeFromDateOnly(last)); + return (long) (diff / (24 * 3600)); } static int findNeedRotating(const struct logInfo *log, unsigned logNum, int force) @@ -1443,7 +1443,7 @@ message(MESS_DEBUG, " log does not need rotating " "(log size is below the 'size' threshold)\n"); } - } else if (mktime(&state->lastRotated) - mktime(&now) > (25 * 3600)) { + } else if (difftime(mktime(&state->lastRotated), mktime(&now)) > (25 * 3600)) { /* 25 hours allows for DST changes as well as geographical moves */ message(MESS_ERROR, "log %s last rotated in the future -- rotation forced\n", @@ -1453,7 +1453,7 @@ state->lastRotated.tm_mon != now.tm_mon || state->lastRotated.tm_mday != now.tm_mday || state->lastRotated.tm_hour != now.tm_hour) { - time_t days; + long days; switch (log->criterium) { case ROT_WEEKLY: days = daysElapsed(&now, &state->lastRotated); @@ -1532,7 +1532,7 @@ "('minsize' directive is used and the log " "size is smaller than the minsize value)\n"); } - if (log->rotateMinAge && log->rotateMinAge * DAY_SECONDS >= nowSecs - sb.st_mtime) { + if (log->rotateMinAge && log->rotateMinAge * DAY_SECONDS >= difftime(nowSecs, sb.st_mtime)) { state->doRotate = 0; message(MESS_DEBUG, " log does not need rotating " "('minage' directive is used and the log " @@ -1925,7 +1925,7 @@ if (((globResult.gl_pathc >= (size_t)rotateCount) && (glob_count <= (globResult.gl_pathc - (size_t)rotateCount))) || ((log->rotateAge > 0) && - (((nowSecs - fst_buf.st_mtime) / DAY_SECONDS) + ((difftime(nowSecs, fst_buf.st_mtime) / DAY_SECONDS) > log->rotateAge))) { if (mail_out != (size_t)-1) { char *mailFilename = @@ -2039,7 +2039,7 @@ continue; } - if (((nowSecs - fst_buf.st_mtime) / DAY_SECONDS) > log->rotateAge) { + if ((difftime(nowSecs, fst_buf.st_mtime) / DAY_SECONDS) > log->rotateAge) { if (!hasErrors && log->logAddress) hasErrors = mailLogWrapper(oldName, mailCommand, logNum, log); @@ -2593,6 +2593,7 @@ struct tm now; time_t now_time, last_time; char *prevCtx; + int force_mode = 0; if (!strcmp(stateFilename, "/dev/null")) /* explicitly asked not to write the state file */ @@ -2664,7 +2665,13 @@ close(fdcurr); - fdsave = createOutputFile(tmpFilename, O_RDWR, &sb, prev_acl, 0); + if (sb.st_mode & (mode_t)S_IROTH) { + /* drop world-readable flag to prevent others from locking */ + sb.st_mode &= ~(mode_t)S_IROTH; + force_mode = 1; + } + + fdsave = createOutputFile(tmpFilename, O_RDWR, &sb, prev_acl, force_mode); #ifdef WITH_ACL if (prev_acl) { acl_free(prev_acl); @@ -3000,15 +3007,22 @@ static int lockState(const char *stateFilename, int skip_state_lock) { - int lockFd = open(stateFilename, O_RDWR | O_CLOEXEC); + int lockFd; + struct stat sb; + + if (!strcmp(stateFilename, "/dev/null")) { + return 0; + } + + lockFd = open(stateFilename, O_RDWR | O_CLOEXEC); if (lockFd == -1) { if (errno == ENOENT) { message(MESS_DEBUG, "Creating stub state file: %s\n", stateFilename); - /* create a stub state file with mode 0644 */ + /* create a stub state file with mode 0640 */ lockFd = open(stateFilename, O_CREAT | O_EXCL | O_WRONLY, - S_IWUSR | S_IRUSR | S_IRGRP | S_IROTH); + S_IWUSR | S_IRUSR | S_IRGRP); if (lockFd == -1) { message(MESS_ERROR, "error creating stub state file %s: %s\n", stateFilename, strerror(errno)); @@ -3026,6 +3040,22 @@ stateFilename); close(lockFd); return 0; + } + + if (fstat(lockFd, &sb) == -1) { + message(MESS_ERROR, "error stat()ing state file %s: %s\n", + stateFilename, strerror(errno)); + close(lockFd); + return 1; + } + + if (sb.st_mode & S_IROTH) { + message(MESS_ERROR, "state file %s is world-readable and thus can" + " be locked from other unprivileged users." + " Skipping lock acquisition...\n", + stateFilename); + close(lockFd); + return 0; } if (flock(lockFd, LOCK_EX | LOCK_NB) == -1) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/logrotate.spec new/logrotate-3.20.1/logrotate.spec --- old/logrotate-3.19.0/logrotate.spec 2022-01-07 10:04:10.000000000 +0100 +++ new/logrotate-3.20.1/logrotate.spec 2022-05-25 17:28:20.000000000 +0200 @@ -1,6 +1,6 @@ Summary: Rotates, compresses, removes and mails system log files Name: logrotate -Version: 3.19.0 +Version: 3.20.1 Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base @@ -41,7 +41,6 @@ install -p -m 644 examples/btmp $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/btmp install -p -m 644 examples/wtmp $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/wtmp install -p -m 755 examples/logrotate.cron $RPM_BUILD_ROOT%{_sysconfdir}/cron.daily/logrotate -touch $RPM_BUILD_ROOT%{_localstatedir}/lib/logrotate.status %clean rm -rf $RPM_BUILD_ROOT @@ -55,4 +54,4 @@ %attr(0755, root, root) %{_sysconfdir}/cron.daily/logrotate %attr(0644, root, root) %config(noreplace) %{_sysconfdir}/logrotate.conf %attr(0755, root, root) %{_sysconfdir}/logrotate.d -%attr(0644, root, root) %verify(not size md5 mtime) %config(noreplace) %{_localstatedir}/lib/logrotate.status +%ghost %attr(0640, root, root) %verify(not size md5 mtime) %{_localstatedir}/lib/logrotate.status diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/logrotate.spec.in new/logrotate-3.20.1/logrotate.spec.in --- old/logrotate-3.19.0/logrotate.spec.in 2019-10-14 14:10:31.000000000 +0200 +++ new/logrotate-3.20.1/logrotate.spec.in 2022-05-25 09:06:46.000000000 +0200 @@ -41,7 +41,6 @@ install -p -m 644 examples/btmp $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/btmp install -p -m 644 examples/wtmp $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/wtmp install -p -m 755 examples/logrotate.cron $RPM_BUILD_ROOT%{_sysconfdir}/cron.daily/logrotate -touch $RPM_BUILD_ROOT%{_localstatedir}/lib/logrotate.status %clean rm -rf $RPM_BUILD_ROOT @@ -55,4 +54,4 @@ %attr(0755, root, root) %{_sysconfdir}/cron.daily/logrotate %attr(0644, root, root) %config(noreplace) %{_sysconfdir}/logrotate.conf %attr(0755, root, root) %{_sysconfdir}/logrotate.d -%attr(0644, root, root) %verify(not size md5 mtime) %config(noreplace) %{_localstatedir}/lib/logrotate.status +%ghost %attr(0640, root, root) %verify(not size md5 mtime) %{_localstatedir}/lib/logrotate.status diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/test/Makefile.am new/logrotate-3.20.1/test/Makefile.am --- old/logrotate-3.19.0/test/Makefile.am 2022-01-06 17:11:00.000000000 +0100 +++ new/logrotate-3.20.1/test/Makefile.am 2022-05-25 09:06:46.000000000 +0200 @@ -90,6 +90,7 @@ test-0089.sh \ test-0090.sh \ test-0091.sh \ + test-0092.sh \ test-0100.sh \ test-0101.sh \ test-0102.sh \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/test/Makefile.in new/logrotate-3.20.1/test/Makefile.in --- old/logrotate-3.19.0/test/Makefile.in 2022-01-07 10:04:07.000000000 +0100 +++ new/logrotate-3.20.1/test/Makefile.in 2022-05-25 17:28:14.000000000 +0200 @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.16.4 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2021 Free Software Foundation, Inc. @@ -519,6 +519,7 @@ test-0089.sh \ test-0090.sh \ test-0091.sh \ + test-0092.sh \ test-0100.sh \ test-0101.sh \ test-0102.sh \ @@ -1362,6 +1363,13 @@ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test-0092.sh.log: test-0092.sh + @p='test-0092.sh'; \ + b='test-0092.sh'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) test-0100.sh.log: test-0100.sh @p='test-0100.sh'; \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/test/test-0018.sh new/logrotate-3.20.1/test/test-0018.sh --- old/logrotate-3.19.0/test/test-0018.sh 2021-06-11 15:12:52.000000000 +0200 +++ new/logrotate-3.20.1/test/test-0018.sh 2022-05-09 10:44:06.000000000 +0200 @@ -14,7 +14,7 @@ EOF (echo "gzip -f -9") | diff -u - compress-args -egrep -q '^LOGROTATE_COMPRESSED_FILENAME=.+/test.log.1$' compress-env +grep -Eq '^LOGROTATE_COMPRESSED_FILENAME=.+/test.log.1$' compress-env if [ $? != 0 ]; then echo "LOGROTATE_COMPRESSED_FILENAME environment variable not found." cat compress-env diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/test/test-0048.sh new/logrotate-3.20.1/test/test-0048.sh --- old/logrotate-3.19.0/test/test-0048.sh 2021-06-11 15:12:52.000000000 +0200 +++ new/logrotate-3.20.1/test/test-0048.sh 2022-05-25 17:19:45.000000000 +0200 @@ -18,6 +18,7 @@ logrotate state -- version 2 EOF +chmod 0640 state setfacl -m u:nobody:rwx state $RLR test-config.48 || exit 23 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/test/test-0087.sh new/logrotate-3.20.1/test/test-0087.sh --- old/logrotate-3.19.0/test/test-0087.sh 2021-01-05 14:01:16.000000000 +0100 +++ new/logrotate-3.20.1/test/test-0087.sh 2022-05-25 09:06:46.000000000 +0200 @@ -8,6 +8,7 @@ preptest test.log 87 1 touch state +chmod 0640 state $RLR test-config.87 -f & diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/test/test-0092.sh new/logrotate-3.20.1/test/test-0092.sh --- old/logrotate-3.19.0/test/test-0092.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/logrotate-3.20.1/test/test-0092.sh 2022-05-25 09:32:42.000000000 +0200 @@ -0,0 +1,19 @@ +#!/bin/sh + +. ./test-common.sh + +# check state file locking +cleanup 92 + +preptest test.log 92 1 + +touch state +chmod 0644 state +flock state -c "sleep 10" & + +$RLR -f test-config.92 || exit 23 + +checkoutput <<EOF +test.log 0 +test.log.1 0 zero +EOF diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logrotate-3.19.0/test/test-config.92.in new/logrotate-3.20.1/test/test-config.92.in --- old/logrotate-3.19.0/test/test-config.92.in 1970-01-01 01:00:00.000000000 +0100 +++ new/logrotate-3.20.1/test/test-config.92.in 2022-05-25 09:06:46.000000000 +0200 @@ -0,0 +1,4 @@ +&DIR&/test.log { + rotate 1 + create +}
