openSUSE Mailman3 Logrotate Configuration Privilege Escalation Vulnerability

A vulnerability has been identified in the logrotate configuration for the Mailman3 package in openSUSE Tumbleweed, prior to version 3.3.10-2.1. This vulnerability allows for potential escalation from the Mailman user to root privileges. The issue arises because the logrotate script, which is supposed to run with Mailman privileges, actually executes with full root privileges. This misconfiguration could be exploited by a compromised Mailman user to manipulate system processes or files.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation from the Mailman user to root, allowing for potentially harmful actions to be performed with administrative rights.

Reproduction

The vulnerability can be reproduced by creating a symbolic link from a Mailman log file to a sensitive file in the system, such as /etc/evil-file. When logrotate runs, it will follow the symlink and create the file with root ownership, potentially causing a security issue if the file is read by another program. After logrotate has run, any missing Mailman log files will be created with root ownership, which could disrupt the Mailman service.

Remediation

The vulnerability has been addressed in openSUSE Tumbleweed version 3.3.10-2.1. Users can update to this version to mitigate the issue.