Re: vulnerability in rsyslog

[Solar Designer <solar () openwall com>]

On Tue, Sep 30, 2014 at 01:55:12PM +0200, Sven Kieske wrote:
> I don't understand the following statement in the
> pri-vuln.txt in section "Patches":
>
> "Version 7.4.6, while no longer being project
> supported received a patch and is also not vulnerable."
>
> What was patched when this version is not vulnerable?
> Or do you mean it is not vulnerable after the patch got applied?

I think Rainer is not subscribed to oss-security.  I've just added him
to CC on this reply.  Rainer - please address Sven's questions above.

All - please note that the bug is likely present in many other syslog
services.  It likely dates back all the way to Eric Allman's syslog,
although I have not checked to make sure yet.

pri-vuln.txt in the tarball attached to Rainer's message specifically
mentions sysklogd as "mildly affected":

| Affected
| --------
| - rsyslog, most probably all versions (checked 5.8.6+)
| - sysklogd (checked most recent versions)
| - potentially others (see root cause)

[...]

| sysklogd
| ~~~~~~~~
| Sysklogd is mildly affected. Having a quick look at the current git master
| branch, the wrong action may be applied to messages with invalid facility.
| 
| A segfault seems unlikely, as the maximum misadressing is 104 bytes of the
| f_pmask table, which is always within properly allocated memory (albeit to
| wrong data items). This can lead to triggering invalid selector lines and
| thus wrongly writing to files or wrongly forwarding to other hosts.

Alexander