This was reported to security@redhat.com on 2003-04-18

/etc/log.d/scripts/services/secure contains this code (around line 88):

  while (defined($ThisLine = <STDIN>)) {
     chomp($ThisLine);
     $ThisLine =~ s/^... .. ..:..:.. [^ ]+ //;
     my $temp = $ThisLine;
X    $temp =~ s/^([^[]+).*/$1/;
     #print "Ignore: $Ignore [temp: $temp]\n";
Y    if ($Ignore =~ /$temp/i) {
        next;
     }

The key is in the lines X and Y.  It copies some text from the
logfile; anything in the log line *after* the date stamp and *before*
a "[" char.


It's still possible to use something like this:

  logger -p authpriv.notice '+++ connection closed by localhost +++'

That looks relatively "normal", but will result in the "secure" parser
script crashing, outputting something like this:

  Nested quantifiers in regex; marked by <-- HERE in m/++ <-- HERE  +
connection +closed by localhost +++/ at 
etc/log.d/scripts/services/secure line 88, <STDIN>
+line 1.

And any further syslog entries in the file are ignored, which could be
handy for an attacker to "hide" their attacks from the admin.  
However, nowhere near as scary as a remote- or local-root exploit. ;)

Fix:

- change

     if ($Ignore =~ /$temp/i) {

  to

     if ($Ignore =~ /\Q$temp\E/i) {

  in /etc/log.d/scripts/services/secure.   This will stop any regexp
  metachars in the syslog data from being used by Perl.

- This script, and other perl scripts in the logwatch pkg, should run
with -T for perl's taint mode, as it is handling untrusted data (the
syslog).  That would have indicated the presence of this bug.