On Sun, Jan 30, 2022 at 07:23:20PM +0100, Christian Göttsche wrote: > [ Reason ] > Logrotate does not reject invalid files as configuration files and > tries to parse at least parts of them. > Those files for example might be crafted coredumps, placed in > /etc/logrotate.d/ via an unsafe core dump handler. > Be more strict while parsing configuration files. See > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002022 > https://github.com/logrotate/logrotate/pull/427 > https://www.openwall.com/lists/oss-security/2021/10/20/2 > > Also include two other fixes, one using the correct stat information > when verifying an olddir configuration after creating the olddir, the > other advancing pointer in full_write on incomplete write to avoid > data corruption. > Go ahead, thanks.
Cheers, Julien
