Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 81145

Summary: Log message treated as a regexp???
Product: [Retired] Red Hat Linux Reporter: Aleksey Nogin <aleksey>
Component: logwatchAssignee: Elliot Lee <sopwith>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: stephen.walton
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-07-10 13:43:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Demonstrates problem in logwatch 'secure' script regexp none

Description Aleksey Nogin 2003-01-06 04:41:40 UTC
Some time ago I've received the following message from logwatch:

 ################## LogWatch 2.6 Begin ##################### 

Nested quantifiers in regex; marked by <-- HERE in m/sudo:  aleksey : TTY=tty1 ;
PWD=/home/aleksey ; USER=root ; COMMAND=/bin/rpm -e compat-libstdc++ <-- HERE /
at /etc/log.d/scripts/services/secure line 88, <STDIN> line 43.


 ###################### LogWatch End ######################### 

Which means that somehow logwatch managed to interpret the *user* input as a
regexp! Can this be a security issue?

Comment 1 Elliot Lee 2003-02-19 23:04:11 UTC
Can you try the logwatch 4.3.1 in rawhide and see if it has this issue? I can't
see any lines in 4.3.1 in the script mentioned that would fit the description.

Comment 2 Stephen Walton 2003-03-07 22:02:02 UTC
Created attachment 90521 [details]
Demonstrates problem in logwatch 'secure' script regexp

Running this script creates and executes a Perl program called 'bugdemo.pl' in
the current directory.

Comment 3 Stephen Walton 2003-03-07 22:04:37 UTC
My comment to my demo got lost:  the problem arises when a line in
/var/log/secure contains the string ++, as it does for the original poster, and
did for me, when an 'sudo' command is executed to manipulate a C++ library.  My
attachment demonstrates the problem but I'm not enough of a Perl hacker to
figure out a patch.

I don't think this should be marked CLOSED but I can't change the status.

Comment 4 Elliot Lee 2003-07-10 13:43:16 UTC
4.3.2 has this problem fixed, and probably 4.3.1.

Comment 5 Stephen Walton 2003-07-10 17:58:07 UTC
Fair enough, but the original bug was against RH 8.0, and the latest version of
logwatch released for 8.0 seems to be the one on the original release, 2.6-8. 
4.3.1-2 is on my RH9 systems, though.  I did "rpm -U --test" on an RH8.0 system
against the logwatch 4.3.1-2 RPM shipped with RH9 and got no errors;  would it
be safe to install it?