Bug 137502 - CAN-2005-1061 logwatch log processing regular expression DoS
CAN-2005-1061 logwatch log processing regular expression DoS
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: logwatch (Show other bugs)
2.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jiri Ryska
reported=20030418,public=20041028,imp...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-28 17:37 EDT by Josh Bressers
Modified: 2007-11-30 17:06 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-19 14:33:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2004-10-28 17:37:13 EDT
This was reported to security@redhat.com on 2003-04-18

/etc/log.d/scripts/services/secure contains this code (around line 88):

  while (defined($ThisLine = <STDIN>)) {
     chomp($ThisLine);
     $ThisLine =~ s/^... .. ..:..:.. [^ ]+ //;
     my $temp = $ThisLine;
X    $temp =~ s/^([^[]+).*/$1/;
     #print "Ignore: $Ignore [temp: $temp]\n";
Y    if ($Ignore =~ /$temp/i) {
        next;
     }

The key is in the lines X and Y.  It copies some text from the
logfile; anything in the log line *after* the date stamp and *before*
a "[" char.


It's still possible to use something like this:

  logger -p authpriv.notice '+++ connection closed by localhost +++'

That looks relatively "normal", but will result in the "secure" parser
script crashing, outputting something like this:

  Nested quantifiers in regex; marked by <-- HERE in m/++ <-- HERE  +
connection +closed by localhost +++/ at 
etc/log.d/scripts/services/secure line 88, <STDIN>
+line 1.

And any further syslog entries in the file are ignored, which could be
handy for an attacker to "hide" their attacks from the admin.  
However, nowhere near as scary as a remote- or local-root exploit. ;)

Fix:

- change

     if ($Ignore =~ /$temp/i) {

  to

     if ($Ignore =~ /\Q$temp\E/i) {

  in /etc/log.d/scripts/services/secure.   This will stop any regexp
  metachars in the syslog data from being used by Perl.

- This script, and other perl scripts in the logwatch pkg, should run
with -T for perl's taint mode, as it is handling untrusted data (the
syslog).  That would have indicated the presence of this bug.
Comment 1 Josh Bressers 2004-11-26 11:13:24 EST
ping on this issue
Comment 5 Jay Turner 2005-04-09 06:45:54 EDT
Fix confirmed in logwatch-2.6-2.EL2.
Comment 6 Josh Bressers 2005-04-19 14:33:30 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-364.html

Note You need to log in before you can comment on or make changes to this bug.