Accepting request 979229 from home:david.anes:branches:Base:System

- Security fix: (bsc#1199652, CVE-2022-1348)
  * Add follow-up upstream patch for the introduced fix.
  * Added patch logrotate-CVE-2022-1348-follow-up.patch
- Update patch:
  * logrotate-3.19.0-man_logrotate.patch -> logrotate-3.20.0-man_logrotate.patch

OBS-URL: https://build.opensuse.org/request/show/979229
OBS-URL: https://build.opensuse.org/package/show/Base:System/logrotate?expand=0&rev=98

logrotate-CVE-2022-1348-follow-up.patch

@@ -0,0 +1,56 @@
+From addbd293242b0b78aa54f054e6c1d249451f137d Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Wed, 25 May 2022 09:55:02 +0200
+Subject: [PATCH] drop world-readable permission on state file
+
+... even when ACLs are enabled.  This is a follow-up to the fix
+of CVE-2022-1348.  It has no impact on security but makes the state
+file locking work again in more cases.
+
+Closes: https://github.com/logrotate/logrotate/pull/446
+---
+ logrotate.c       | 10 +++++++---
+ test/test-0048.sh |  1 +
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/logrotate.c b/logrotate.c
+index b57b64b..2350672 100644
+--- a/logrotate.c
++++ b/logrotate.c
+@@ -2593,6 +2593,7 @@ static int writeState(const char *stateFilename)
+     struct tm now;
+     time_t now_time, last_time;
+     char *prevCtx;
++    int force_mode = 0;
+ 
+     if (!strcmp(stateFilename, "/dev/null"))
+         /* explicitly asked not to write the state file */
+@@ -2664,10 +2665,13 @@ static int writeState(const char *stateFilename)
+ 
+     close(fdcurr);
+ 
+-    /* drop world-readable flag to prevent others from locking */
+-    sb.st_mode &= ~(mode_t)S_IROTH;
++    if (sb.st_mode & (mode_t)S_IROTH) {
++        /* drop world-readable flag to prevent others from locking */
++        sb.st_mode &= ~(mode_t)S_IROTH;
++        force_mode = 1;
++    }
+ 
+-    fdsave = createOutputFile(tmpFilename, O_RDWR, &sb, prev_acl, 0);
++    fdsave = createOutputFile(tmpFilename, O_RDWR, &sb, prev_acl, force_mode);
+ #ifdef WITH_ACL
+     if (prev_acl) {
+         acl_free(prev_acl);
+diff --git a/test/test-0048.sh b/test/test-0048.sh
+index 98f17c1..25c4c05 100755
+--- a/test/test-0048.sh
++++ b/test/test-0048.sh
+@@ -18,6 +18,7 @@ cat > state << EOF
+ logrotate state -- version 2
+ EOF
+ 
++chmod 0640 state
+ setfacl -m u:nobody:rwx state
+ 
+ $RLR test-config.48 || exit 23

logrotate.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed May 25 15:31:32 UTC 2022 - David Anes <david.anes@suse.com>
+
+- Security fix: (bsc#1199652, CVE-2022-1348)
+  * Add follow-up upstream patch for the introduced fix.
+  * Added patch logrotate-CVE-2022-1348-follow-up.patch
+
+- Update patch:
+  * logrotate-3.19.0-man_logrotate.patch -> logrotate-3.20.0-man_logrotate.patch
+
 -------------------------------------------------------------------
 Wed May 25 13:34:17 UTC 2022 - Michael Ströder <michael@stroeder.com>
 

logrotate.spec

@@ -33,7 +33,11 @@ Source3:        logrotate.service
 Source10:       https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz.asc
 Source100:      %{name}-rpmlintrc
 Patch0:         logrotate-3.20.0-man_logrotate.patch
+# PATCH FIX UPSTREAM (bsc#1199652, CVE-2022-1348) insecure permissions for state file creation
+# follow up patch for CVE: https://github.com/logrotate/logrotate/pull/446
+Patch1:         logrotate-CVE-2022-1348-follow-up.patch
 BuildRequires:  acl
+BuildRequires:  automake
 BuildRequires:  libacl-devel
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(libselinux)
@@ -52,9 +56,10 @@ It manages plain files only and is not involved in systemd's journal rotation.
 
 %prep
 %setup -q
-%patch0 -p1
+%autopatch -p1
 
 %build
+autoreconf -f -i
 %configure \
     --disable-silent-rules \
     --with-state-file-path=%{_localstatedir}/lib/misc/logrotate.status \