All of lore.kernel.org
 help / color / mirror / Atom feed
From: Zhixiong Chi <zhixiong.chi@windriver.com>
To: <openembedded-devel@lists.openembedded.org>
Subject: [meta-oe][PATCH] rsyslog: CVE-2015-3243
Date: Sun, 20 Aug 2017 10:51:48 +0800	[thread overview]
Message-ID: <1503197508-211426-1-git-send-email-zhixiong.chi@windriver.com> (raw)

rsyslog uses weak permissions for generating log files, which allows
local users to obtain sensitive information by reading files in
/var/log/cron.log

We add "create 0600 root root" to the /etc/logrotate.d/syslog file,
this will ensure the file is created with permissions when logrotate
runs. It is also recommended that users manually set the permissions
on existing or newly installed log files in order to prevent access
by untrusted users.
https://bugzilla.redhat.com/show_bug.cgi?id=1232826

CVE: CVE-2015-3243

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
 meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
index 94ec517..7960815 100644
--- a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
+++ b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
@@ -23,6 +23,9 @@
 /var/log/user.log
 /var/log/lpr.log
 /var/log/cron.log
+{
+        create 0600 root root
+}
 /var/log/debug
 /var/log/messages
 {
-- 
1.9.1



             reply	other threads:[~2017-08-20  2:52 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-20  2:51 Zhixiong Chi [this message]
2017-08-21  2:20 ` [meta-oe][PATCH] rsyslog: CVE-2015-3243 ChenQi
2017-08-21  3:35   ` Zhixiong Chi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1503197508-211426-1-git-send-email-zhixiong.chi@windriver.com \
    --to=zhixiong.chi@windriver.com \
    --cc=openembedded-devel@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.