A memory leak was found in the way rsyslog system log deamon processed log messages when the request to reduce the repeated messages ($RepeatedMsgReduction configuration directive) was enabled. A local attacker could use this flaw to cause denial of the rsyslogd daemon service (excessive memory use and potential abort) via sequence of repeated log messages, sent within short time period. References: [1] http://bugzilla.adiscon.com/show_bug.cgi?id=225 [2] http://www.openwall.com/lists/oss-security/2011/03/29/3 [3] http://www.openwall.com/lists/oss-security/2011/04/04/41 Upstream patches: [4] http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=dfa88369d4ca4290db56b843f9eabdae1bfe0fd5 [5] http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=8083bd1433449fd2b1b79bf759f782e0f64c0cd2
Public PoC (from [1]): ====================== config for repro (complete): ==== $ModLoad /home/rger/proj/rsyslog/plugins/imtcp/.libs/imtcp $RepeatedMsgReduction on $InputTCPServerRun 10514 *.* /dev/null ==== test command on sender: $ ./tcpflood -t 172.19.3.27 -p 10514 -m 1000 -c4 -Y -d350 -es
This issue did NOT affect the versions of the rsyslog package, as shipped with Red Hat Enterprise Linux 5 and 6. This issue did NOT affect the versions of the rsyslog package, as shipped with Fedora release of 13 and 14.
Statement: Not vulnerable. This issue did not affect the versions of rsyslog as shipped with Red Hat Enterprise Linux 5 and 6.