[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Forw: RedHat sysklogd vulnerability

From: yocum fnal gov
To: linux-security redhat com
Cc: yocum fnal gov
Subject: Forw: RedHat sysklogd vulnerability
Date: Mon, 22 Feb 1999 13:39:15 -0600

Another from Bugtraq.  I've also forwarded this one on to our contact at Red 
Hat (Stephen Smoogen) and he tells me it's in their QA currently.

Dan

_______________________________________________________________________________
Dan Yocum                       | Phone:  (630) 840-8525
Computing Division  OSS/FSS     | Fax:    (630) 840-6345               .~.   L
Fermi National Accelerator Lab  | email:  yocum fnal gov               /V\   I
P.O. Box 500                    | WWW:    www-oss.fnal.gov/~yocum/    // \\  N
Batavia, IL  60510              |      "TANSTAAFL"                   /(   )\ U
________________________________|____________________________________ ^`~'^__X_


- --- Forwarded mail from Cory Visi <visi CMU EDU>

Date: Tue, 16 Feb 1999 02:22:56 -0500
From: Cory Visi <visi CMU EDU>
Subject: RedHat sysklogd vulnerability
To: BUGTRAQ NETSPACE ORG
Reply-to: Cory Visi <visi CMU EDU>

I'd like to apologize for being so late with this e-mail as I have known
about this problem for months. The vulnerability was discussed in a Thu, 10
Sep 1998 BugTraq e-mail by Michal Zalewski (lcamtuf IDS PL). I replied to it
with a quick patch. Here are some lines from my e-mail:

> I'm not completely happy with this, as it modifies the reference parameter,
> ptr, but it will solve the problem. However, later on:
>
> ExpandKadds(line, eline)
>
> Where eline is the same size as line. I think the real solution is to make
> sure the buffer is larger (LOG_LINE_LENGTH) like Michal said, and make sure
> modules and programs don't generate obsurdly long messages,  because you
> can't be certain how much room is necessary for the expanded symbols. It
> would be nice if ExpandKadds() allocated memory dynamically, but it doesn't.

RedHat immediately issued a "fix" to their current package: sysklogd-1.3-26
This "fix" is merely my patch (and nothing more). My patch DOES NOT fix the
problem. As discussed by the package co-maintainer (Martin Schulze
(joey FINLANDIA INFODROM NORTH DE)) the bug is fixed in the latest sysklogd
package (1.3-30). In fact, the bug was fixed in 1996. What this comes down
to is that any Linux distribution running an old sysklogd package (namely
RedHat all versions) STILL has a potential (rather obscure) buffer overflow.
They need to upgrade to the latest version ASAP. I e-mailed
bugzilla redhat com and got no response.

Thank you,

     .-.        ,~~-.      .-~~-.
 ~._'_.'        \_   \    /      `~~-
   |              `~- \  /
   `.__.-'ory          \/isi


- ---End of forwarded mail from Cory Visi <visi CMU EDU>

------- End of Forwarded Message

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]