Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RedHat sysklogd vulnerability

From: visi () CMU EDU (Cory Visi)
Date: Tue, 16 Feb 1999 02:22:56 -0500

I'd like to apologize for being so late with this e-mail as I have known
about this problem for months. The vulnerability was discussed in a Thu, 10
Sep 1998 BugTraq e-mail by Michal Zalewski (lcamtuf () IDS PL). I replied to it
with a quick patch. Here are some lines from my e-mail:


I'm not completely happy with this, as it modifies the reference parameter,
ptr, but it will solve the problem. However, later on:

ExpandKadds(line, eline)

Where eline is the same size as line. I think the real solution is to make
sure the buffer is larger (LOG_LINE_LENGTH) like Michal said, and make sure
modules and programs don't generate obsurdly long messages,  because you
can't be certain how much room is necessary for the expanded symbols. It
would be nice if ExpandKadds() allocated memory dynamically, but it doesn't.


RedHat immediately issued a "fix" to their current package: sysklogd-1.3-26
This "fix" is merely my patch (and nothing more). My patch DOES NOT fix the
problem. As discussed by the package co-maintainer (Martin Schulze
(joey () FINLANDIA INFODROM NORTH DE)) the bug is fixed in the latest sysklogd
package (1.3-30). In fact, the bug was fixed in 1996. What this comes down
to is that any Linux distribution running an old sysklogd package (namely
RedHat all versions) STILL has a potential (rather obscure) buffer overflow.
They need to upgrade to the latest version ASAP. I e-mailed
bugzilla () redhat com and got no response.

Thank you,

     .-.        ,~~-.      .-~~-.
 ~._'_.'        \_   \    /      `~~-
   |              `~- \  /
   `.__.-'ory          \/isi
Previous By Date Next
Previous By Thread Next

Current thread: