CVE-2011-1098 — Race Condition in Logrotate

CWE-362 — Race Condition CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition8 documents7 sources

Severity

1.9LOWNVD

EPSS

0.1%

top 83.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Logrotate Project Logrotate Debian Logrotate Gentoo Logrotate

Timeline

PublishedMar 30

Latest updateMay 17

Description

Race condition in the createOutputFile function in logrotate.c in logrotate 3.7.9 and earlier allows local users to read log data by opening a file before the intended permissions are in place.

CVSS vector

AV:L/AC:M/C:P/I:N/A:NExploitability: 3.4 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/logrotate< logrotate 3.8.0-1 (bookworm)

▶Debianlogrotate_project/logrotate< 3.8.0-1+3

▶NVDgentoo/logrotate3.7.9+9

Patches

Patch: lists.fedoraproject.org ↗Patch: openwall.com ↗Patch: openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-h8gr-59qr-mxm6: Race condition in the createOutputFile function in logrotate↗2022-05-17

▶

OSV

CVE-2011-1098: Race condition in the createOutputFile function in logrotate↗2011-03-30

▶

📋Vendor Advisories

Ubuntu

logrotate vulnerabilities↗2011-07-21

▶

Red Hat

logrotate: TOCTOU race condition by creation of new files (between opening the file and moment, final permissions have been applied) [information disclosure]↗2011-02-13

▶

Debian

CVE-2011-1098: logrotate - Race condition in the createOutputFile function in logrotate.c in logrotate 3.7....↗2011

▶

💬Community

Bugzilla

CVE-2011-1098 CVE-2011-1154 CVE-2011-1155 logrotate various flaws [fedora-all]↗2011-03-17

▶

Bugzilla

CVE-2011-1098 logrotate: TOCTOU race condition by creation of new files (between opening the file and moment, final permissions have been applied) [information disclosure]↗2011-02-27

▶