Bugtraq mailing list archives
Re: [Linux] klogd 1.3-22 buffer overflow
From: joey () FINLANDIA INFODROM NORTH DE (Martin Schulze)
Date: Tue, 17 Nov 1998 22:45:44 +0100
--J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable I'm the co-maintainer of the Linux sysklogd package which contains the klogd program for which a buffer overrun has been reported last week. First of all I'd like to complain about two things: a) The reports weren't made against the current version of the package. The source for it is well known on sunsite.unc.edu as well as various mirrors. When reporting security related bugs you should *always* try to use the current version of a package instead of an ancient old one. b) Again the authors/maintainers of the package in question weren't notified and had to be informed through third parties. This is not a good style. (however I could imagine that this could be due to a)) Now returning to the main problem. Michal Zalewski <lcamtuf () IDS PL> has found a buffer overrund in a version of klogd. I have investigated this last week and wasn't able to reproduce it nor able to find the problematic piece of code. Instead of that I found a well thought parser with an anti-overrun mechanism. Going through the changelog entries I also found a note about a possible overrun at the location Michal has reported. I dare to say, but this bug was fixed *two* years ago: * Tue Nov 19 10:15:36 PST 1996: Leland Olds <olds () eskimo com> * Corrected vulnerability to buffer overruns by rewriting LogLine * routine. Obscenely long kernel messages will now be broken up * into lines no longer than LOG_LINE_LENGTH. * * The last version of LogLine was vulnerable to buffer overruns: * - Kernel messages longer than LOG_LINE_LENGTH caused a buffer * overrun. * - If a line was determined to be shorter than LOG_LINE_LENGTH, * the routine "ExpandKadds" could cause the line grow by * an unknown amount and overrun a buffer. * I turned these routines into a little parsing state machine that * should not have these problems. Whith this information I've contacted Michal without receiving an answer as well as some of the contributors who seem to have found / fixed the bug. I'm ashamed to admit that resposes were fare less than I would have expected. Anyway, the current version of klogd which comes with sysklogd is *not* vulnerable to the overrun in question. You'll find current versions of the sysklogd package at=20 ftp://ftp.infodrom.north.de/pub/people/joey/sysklogd/ Additionally the most recent stable version may also be found on SunSITE at ftp://sunsite.unc/edu/pub/Linux/system/daemons/ Thanks for the attention, Joey --=20 GNU GPL: "The source will be with you... always." --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBNlHuiBRNm5Suj3z1AQGVBQQAiz7Ew7KtTbPxn6cS9GeDCUZk6iL+nbbl qlI7OGHideY1PCeHglLj+/OAXPdf+USUhbomCs8tPA5VlQiwnZLFB6ojc8bv5FYH K+f4mfdKjJXy7ggH+eWRFt2O/8sxULqiPz6s2HtplqoDJEv3Kxc+297iBGyrlRGi QWkHg/EZ+9w= =eO0A -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf--
Current thread:
- WWWBoard Vulnerability Samuel Sparling (Nov 09)
- [Linux] klogd 1.3-22 buffer overflow Michal Zalewski (Sep 10)
- catdoc-0.90 buffer overruns Duncan Simpson (Nov 10)
- Re: catdoc-0.90 buffer overruns Kragen (Nov 12)
- Re: klogd 1.3-22 buffer overflow Neil Bright (Nov 11)
- Re: klogd 1.3-22 buffer overflow Peter van Dijk (Nov 11)
- Re: [Linux] klogd 1.3-22 buffer overflow Cory Visi (Nov 11)
- Re: [Linux] klogd 1.3-22 buffer overflow Martin Schulze (Nov 17)
- Re: [Linux] klogd 1.3-22 buffer overflow Michal Zalewski (Sep 12)
- Re: [Linux] klogd 1.3-22 buffer overflow security () PENGUIN NET AU (Nov 17)
- Update to Microsoft Security Bulletin (MS98-015) Aleph One (Nov 18)
- Multiple KDE security vulnerabilities (root compromise) David G. Andersen (Nov 18)
- Sun Security Bulletin #00179 Aleph One (Nov 18)
- Re: Sun Security Bulletin #00179 Jonathan A. Zdziarski (Nov 19)
- catdoc-0.90 buffer overruns Duncan Simpson (Nov 10)
- [Linux] klogd 1.3-22 buffer overflow Michal Zalewski (Sep 10)
- Re: WWWBoard Vulnerability Spartak Radchenko (Nov 10)
- Re: WWWBoard Vulnerability Samuel Sparling (Nov 10)
- world-readable shadow backups in SuSe 5.2 HD Moore (Nov 10)
- mSQL dummies Peter Boutzev (Nov 11)