Bug 137502
| Summary: | CAN-2005-1061 logwatch log processing regular expression DoS | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 2.1 | Reporter: | Josh Bressers <bressers> |
| Component: | logwatch | Assignee: | Jiri Ryska <jryska> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 2.1 | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | reported=20030418,public=20041028,impact=moderate,source=secalert | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-04-19 18:33:30 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
ping on this issue Fix confirmed in logwatch-2.6-2.EL2. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-364.html |
This was reported to security on 2003-04-18 /etc/log.d/scripts/services/secure contains this code (around line 88): while (defined($ThisLine = <STDIN>)) { chomp($ThisLine); $ThisLine =~ s/^... .. ..:..:.. [^ ]+ //; my $temp = $ThisLine; X $temp =~ s/^([^[]+).*/$1/; #print "Ignore: $Ignore [temp: $temp]\n"; Y if ($Ignore =~ /$temp/i) { next; } The key is in the lines X and Y. It copies some text from the logfile; anything in the log line *after* the date stamp and *before* a "[" char. It's still possible to use something like this: logger -p authpriv.notice '+++ connection closed by localhost +++' That looks relatively "normal", but will result in the "secure" parser script crashing, outputting something like this: Nested quantifiers in regex; marked by <-- HERE in m/++ <-- HERE + connection +closed by localhost +++/ at etc/log.d/scripts/services/secure line 88, <STDIN> +line 1. And any further syslog entries in the file are ignored, which could be handy for an attacker to "hide" their attacks from the admin. However, nowhere near as scary as a remote- or local-root exploit. ;) Fix: - change if ($Ignore =~ /$temp/i) { to if ($Ignore =~ /\Q$temp\E/i) { in /etc/log.d/scripts/services/secure. This will stop any regexp metachars in the syslog data from being used by Perl. - This script, and other perl scripts in the logwatch pkg, should run with -T for perl's taint mode, as it is handling untrusted data (the syslog). That would have indicated the presence of this bug.