From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2) Gecko/20040308 Description of problem: During a code review it was discovered that syslogd does not allocate enough memory to store all its pointers in the crunch list. The problem code around line 1266 is this: if ((result = (char **)malloc(sizeof(char *) * count+2)) == NULL) There should be parenthesis around the count+2 since multiplication otherwise takes place first. Without it, the array os not big enough and unexpected results (or core dump) may follow. Version-Release number of selected component (if applicable): sysklogd-1.4.1-14 How reproducible: Always Steps to Reproduce: Found in code review Additional info: I will attach a patch that fixes this.
Created attachment 99250 [details] Patch that fixes the problem Please apply before Fedora Core 2 final.
This should be security noted for fc1, also.
Worthy of note to fedora legacy - this applies to rhl9 and probably rhl7.3
noted and patched in fedora legacy https://bugzilla.fedora.us/show_bug.cgi?id=1553
Note that this only affects crunch_args, which AFAIK is only called via commandline args. So not as much of a security issue.
I think you underestimate this bug. The crunch list is returned to a global variable that is later used for strcmp's in the main select loop. The memory just beyond the crunch list is free to be reassigned by glibc. Eventually it will be written to and all the values change. Around line 2056 you see this code: while (LocalHosts[count]) { if (!strcmp(hp->h_name, LocalHosts[count])) { *p = '\0'; return (hp->h_name); } count++; } Guess what happens when you do a strcmp with a random number as a pointer? With syslogd down, a lot strange activity won't get recorded. People count on syslog to help provide an audit trail if something bad happens. It such a simple bug to fix...please apply the patch. Admittedly, you have to be using the -l or -s option, but why risk it?
What I'm saying is that if it's only invoked on the commandline, then anyone maliciously invoking it already has root. A version of the patch will be applied, I'm just not seeing how it's a security vulnerability in and of itself.
Fixed in 1.4.1-16.
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2004-348.html
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2004-335.html