Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 943575 Details for
Bug 1142373
CVE-2014-3634 rsyslog: remote syslog PRI vulnerability
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch to fix the flaw in sysklogd
sysklogd-1.5_CVE-2014-3634.diff (text/plain), 2.71 KB, created by
Vincent Danen
on 2014-10-02 21:03:34 UTC
(
hide
)
Description:
patch to fix the flaw in sysklogd
Filename:
MIME Type:
Creator:
Vincent Danen
Created:
2014-10-02 21:03:34 UTC
Size:
2.71 KB
patch
obsolete
>From 43797330e75d7d4687b7ae6926a996c3c85c2679 Mon Sep 17 00:00:00 2001 >From: mancha <mancha1 AT zoho DOT com> >Date: Wed, 1 Oct 2014 >Subject: CVE-2014-3634 > >Rainer Gerhards, rsyslog project leader, discovered an issue in rsyslogd >where invalid priority values can trigger DoS and potentially RCE. > >As he describes, the cause of the problem identified in rsyslog also >exists in sysklogd (from which rsyslogd was forked) and stems from the >way LOG_NFACILITIES and LOG_FACMASK get used. > >In sysklog's case, priority values up to 1023 (with facility values up to >127) can propagate through code making f_pmask array overreads of up >to 104 bytes within the filed structure possible. Though not sufficient >to reach unallocated memory (there are still 544 bytes in the filed >structure beyond the end of f_pmask), incorrect access of fields at >higher positions of the filed structure definition can cause unexpected >behavior including potential message mis-classification and loss. > >This patch imposes a restriction on PRI message parts and requires they >be properly-delimited priority value strings that have non-negative >numerical values not exceeding 191. As before, sysklogd allows zero >padding in the priority value string to support RFC-non-compliant loggers >that issue PRIs such as <0091>. Messages with malformed PRI parts are >logged with priority USER.NOTICE. > >I would like to thank Rainer for his initial report and analysis and >subsequent coordination. > >--- > syslogd.c | 25 +++++++++++++++++++------ > 1 file changed, 19 insertions(+), 6 deletions(-) > >--- a/syslogd.c >+++ b/syslogd.c >@@ -632,6 +632,8 @@ int funix[MAXFUNIX] = { -1, }; > #define TABLE_ALLPRI 0xFF /* Value to indicate all priorities in f_pmask */ > #define LOG_MARK LOG_MAKEPRI(LOG_NFACILITIES, 0) /* mark "facility" */ > >+#define MAX_PRI 191 /* Maximum Priority per RFC 3164 */ >+ > /* > * Flags to logmsg(). > */ >@@ -1491,23 +1493,34 @@ void printline(hname, msg) > register char *p, *q; > register unsigned char c; > char line[MAXLINE + 1]; >- int pri; >+ unsigned int pri; // Valid Priority values are 0-191 >+ int prilen=0; // Track Priority value string len >+ int msglen; > > /* test for special codes */ >+ msglen=strlen(msg); > pri = DEFUPRI; > p = msg; > > if (*p == '<') { > pri = 0; >- while (isdigit(*++p)) >- { >- pri = 10 * pri + (*p - '0'); >+ while (--msglen > 0 && isdigit((unsigned char)*++p) && >+ pri <= MAX_PRI) { >+ pri = 10 * pri + (*p - '0'); >+ prilen++; > } >- if (*p == '>') >+ if (*p == '>' && prilen) > ++p; >+ else { >+ pri = DEFUPRI; >+ p = msg; >+ } > } >- if (pri &~ (LOG_FACMASK|LOG_PRIMASK)) >+ >+ if ((pri &~ (LOG_FACMASK|LOG_PRIMASK)) || (pri > MAX_PRI)) { > pri = DEFUPRI; >+ p = msg; >+ } > > memset (line, 0, sizeof(line)); > q = line;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1142373
:
938140
|
938141
|
938142
|
938143
|
938229
|
943495
|
943496
| 943575 |
943701
|
943702