This was reported to security on 2003-04-18 /etc/log.d/scripts/services/secure contains this code (around line 88): while (defined($ThisLine = <STDIN>)) { chomp($ThisLine); $ThisLine =~ s/^... .. ..:..:.. [^ ]+ //; my $temp = $ThisLine; X $temp =~ s/^([^[]+).*/$1/; #print "Ignore: $Ignore [temp: $temp]\n"; Y if ($Ignore =~ /$temp/i) { next; } The key is in the lines X and Y. It copies some text from the logfile; anything in the log line *after* the date stamp and *before* a "[" char. It's still possible to use something like this: logger -p authpriv.notice '+++ connection closed by localhost +++' That looks relatively "normal", but will result in the "secure" parser script crashing, outputting something like this: Nested quantifiers in regex; marked by <-- HERE in m/++ <-- HERE + connection +closed by localhost +++/ at etc/log.d/scripts/services/secure line 88, <STDIN> +line 1. And any further syslog entries in the file are ignored, which could be handy for an attacker to "hide" their attacks from the admin. However, nowhere near as scary as a remote- or local-root exploit. ;) Fix: - change if ($Ignore =~ /$temp/i) { to if ($Ignore =~ /\Q$temp\E/i) { in /etc/log.d/scripts/services/secure. This will stop any regexp metachars in the syslog data from being used by Perl. - This script, and other perl scripts in the logwatch pkg, should run with -T for perl's taint mode, as it is handling untrusted data (the syslog). That would have indicated the presence of this bug.
ping on this issue
Fix confirmed in logwatch-2.6-2.EL2.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-364.html