Some security issues have been reported in logrotate, which can be exploited by malicious, local users to disclose potentially sensitive information, cause a DoS (Denial of Service), and potentially gain escalated privileges.

1) The logrotate utility does not properly handle symlinked files. This can be exploited to e.g. change the ownership and permissions of arbitrary files via symlink attacks.

2) An error within the "shred" functionality can be exploited to inject and execute arbitrary shell commands when logrotate is running as a privileged user in a directory controlled by the attacker.

3) A race condition when creating log files can be exploited to disclose potentially sensitive information by opening the newly created file before the intended permissions are applied.

4) An input sanitation error within the "write state" action can be exploited to prevent logrotate from processing log files via specially crafted log filenames.

Solution
Fixed in the GIT repository. Restrict access to trusted users only.

Provided and/or discovered by
Florian Zumbiehl and Stefan Fritsch

Changelog
Further details available to Secunia VIM customers

Original Advisory
http://lists.debian.org/debian-qa/2010/11/msg00024.html

Debian Bug #388608:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=388608

Red Hat Bugs #680796, 680797, and #680798:
https://bugzilla.redhat.com/show_bug.cgi?id=680796
https://bugzilla.redhat.com/show_bug.cgi?id=680797
https://bugzilla.redhat.com/show_bug.cgi?id=680798

Deep Links
Links available to Secunia VIM customers