Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 81145 - Log message treated as a regexp???
Summary: Log message treated as a regexp???
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: logwatch
Version: 8.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Elliot Lee
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-01-06 04:41 UTC by Aleksey Nogin
Modified: 2007-04-18 16:49 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-07-10 13:43:16 UTC


Attachments (Terms of Use)
Demonstrates problem in logwatch 'secure' script regexp (deleted)
2003-03-07 22:02 UTC, Stephen Walton
no flags Details

Description Aleksey Nogin 2003-01-06 04:41:40 UTC
Some time ago I've received the following message from logwatch:

 ################## LogWatch 2.6 Begin ##################### 

Nested quantifiers in regex; marked by <-- HERE in m/sudo:  aleksey : TTY=tty1 ;
PWD=/home/aleksey ; USER=root ; COMMAND=/bin/rpm -e compat-libstdc++ <-- HERE /
at /etc/log.d/scripts/services/secure line 88, <STDIN> line 43.


 ###################### LogWatch End ######################### 

Which means that somehow logwatch managed to interpret the *user* input as a
regexp! Can this be a security issue?

Comment 1 Elliot Lee 2003-02-19 23:04:11 UTC
Can you try the logwatch 4.3.1 in rawhide and see if it has this issue? I can't
see any lines in 4.3.1 in the script mentioned that would fit the description.

Comment 2 Stephen Walton 2003-03-07 22:02:02 UTC
Created attachment 90521 [details]
Demonstrates problem in logwatch 'secure' script regexp

Running this script creates and executes a Perl program called 'bugdemo.pl' in
the current directory.

Comment 3 Stephen Walton 2003-03-07 22:04:37 UTC
My comment to my demo got lost:  the problem arises when a line in
/var/log/secure contains the string ++, as it does for the original poster, and
did for me, when an 'sudo' command is executed to manipulate a C++ library.  My
attachment demonstrates the problem but I'm not enough of a Perl hacker to
figure out a patch.

I don't think this should be marked CLOSED but I can't change the status.

Comment 4 Elliot Lee 2003-07-10 13:43:16 UTC
4.3.2 has this problem fixed, and probably 4.3.1.

Comment 5 Stephen Walton 2003-07-10 17:58:07 UTC
Fair enough, but the original bug was against RH 8.0, and the latest version of
logwatch released for 8.0 seems to be the one on the original release, 2.6-8. 
4.3.1-2 is on my RH9 systems, though.  I did "rpm -U --test" on an RH8.0 system
against the logwatch 4.3.1-2 RPM shipped with RH9 and got no errors;  would it
be safe to install it?




Note You need to log in before you can comment on or make changes to this bug.