sysklogd.bof.txt

1999-08-17T00:00:00
ID PACKETSTORM:12279
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Tue, 16 Feb 1999 02:22:56 -0500  
From: Cory Visi <visi@CMU.EDU>  
To: BUGTRAQ@netspace.org  
Subject: RedHat sysklogd vulnerability  
  
I'd like to apologize for being so late with this e-mail as I have known  
about this problem for months. The vulnerability was discussed in a Thu, 10  
Sep 1998 BugTraq e-mail by Michal Zalewski (lcamtuf@IDS.PL). I replied to it  
with a quick patch. Here are some lines from my e-mail:  
  
> I'm not completely happy with this, as it modifies the reference parameter,  
> ptr, but it will solve the problem. However, later on:  
>  
> ExpandKadds(line, eline)  
>  
> Where eline is the same size as line. I think the real solution is to make  
> sure the buffer is larger (LOG_LINE_LENGTH) like Michal said, and make sure  
> modules and programs don't generate obsurdly long messages, because you  
> can't be certain how much room is necessary for the expanded symbols. It  
> would be nice if ExpandKadds() allocated memory dynamically, but it doesn't.  
  
RedHat immediately issued a "fix" to their current package: sysklogd-1.3-26  
This "fix" is merely my patch (and nothing more). My patch DOES NOT fix the  
problem. As discussed by the package co-maintainer (Martin Schulze  
(joey@FINLANDIA.INFODROM.NORTH.DE)) the bug is fixed in the latest sysklogd  
package (1.3-30). In fact, the bug was fixed in 1996. What this comes down  
to is that any Linux distribution running an old sysklogd package (namely  
RedHat all versions) STILL has a potential (rather obscure) buffer overflow.  
They need to upgrade to the latest version ASAP. I e-mailed  
bugzilla@redhat.com and got no response.  
  
Thank you,  
  
.-. ,~~-. .-~~-.  
~._'_.' \_ \ / `~~-  
| `~- \ /  
`.__.-'ory \/isi  
  
`