During a code review it was discovered that syslogd does not allocate enough memory to store all its pointers in the crunch list. The problem code around line 1266 is this: if ((result = (char **)malloc(sizeof(char *) * count+2)) == NULL) There should be parenthesis around the count+2 since multiplication otherwise takes place first. Without it, the array os not big enough and unexpected results (or core dump) may follow. ------- Additional Comments From rok.papez 2004-04-30 22:32:59 ---- This *seems* to be a fix: diff -ur sysklogd-1.4.1rh.orig/syslogd.c sysklogd-1.4.1rh/syslogd.c --- sysklogd-1.4.1rh.orig/syslogd.c 2001-08-15 13:16:05.000000000 -0400 +++ sysklogd-1.4.1rh/syslogd.c 2004-04-08 17:09:42.000000000 -0400 @@ -1266,12 +1266,10 @@ /* strip off trailing delimiters */ while (p[strlen(p)-1] == LIST_DELIMITER) { - count--; p[strlen(p)-1] = '\0'; } /* cut off leading delimiters */ while (p[0] == LIST_DELIMITER) { - count--; p++; } @@ -1279,7 +1277,7 @@ for (count=i=0; p[i]; i++) if (p[i] == LIST_DELIMITER) count++; - if ((result = (char **)malloc(sizeof(char *) * count+2)) == NULL) { + if ((result = (char **)malloc(sizeof(char *) * (count+2))) == NULL) { printf ("Sorry, can't get enough memory, exiting.\n"); exit(0); } ------- Additional Comments From skvidal.edu 2004-04-30 22:39:57 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 packages for rhl 7.3(probably 7.x) and rhl9 for sysklod crunchlist memory overrun 448d22dcd867142e71f88892ef883af5 ./9/sysklogd-1.4.1-13.legacy.9.i386.rpm f533cfac620ab26620f6f2077c4cc3a9 ./9/sysklogd-debuginfo-1.4.1-13.legacy.9.i386.rpm a1b6863d5c653b797c446fa4194d27af ./9/sysklogd-1.4.1-13.legacy.9.src.rpm 2c86305eb39cd37cb85c6172bb25d5b8 ./7x/sysklogd-1.4.1-9.legacy.7x.src.rpm 9d98616b7dcb25a20b3453b8f7973ebf ./7x/sysklogd-1.4.1-9.legacy.7x.i386.rpm available at: http://linux.duke.edu/~skvidal/RPMS/legacy/sysklogd/ tested on 7.3 and 9 - works fine trivial patch applied from RHL bug report against FC2 please QA -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAk2HD1Aj3x2mIbMcRAlQuAKCk96RJPCtAL+XovHaPKjAOc18c6gCeLU5+ Fi1o+TiyjFffNnNoaB/ahkQ= =7KK8 -----END PGP SIGNATURE----- ------- Additional Comments From rok.papez 2004-05-01 00:01:12 ---- QA testing report: ============== 1. SRPMS inspection: only a code patch was added, source files are owned by user "skvidal", no other changes 2. Code inspection: PASS 3. SRPMS rebuild: PASS 3. RPM Upgrade: PASS 4. Functionality test: PASS ------- Additional Comments From bugs.michael 2004-05-01 02:45:45 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SHA1 2b9a5c02fc572104206bb3c372416dc18105cbfb sysklogd-1.4.1-9.legacy.7x.src.rpm MD5 2c86305eb39cd37cb85c6172bb25d5b8 sysklogd-1.4.1-9.legacy.7x.src.rpm * src.rpm is not signed * sources have not changed * patch makes sense * binary build compared with 1.4.1-8 (rh73) ++PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAk5uU0iMVcrivHFQRAoQ+AJ0UER+TQRvUQlrgNliRFulKmNQbHACfXia0 s7sAepJ5wr8VG5pStVvMAK8= =AsqS -----END PGP SIGNATURE----- ------- Additional Comments From notting 2004-05-01 16:35:38 ---- AFAIK, crunch_list is only called from the commandline, so ti's not an exploitable security issue (although it is a bug.) The attached may be more complete, FWIW. ------- Additional Comments From notting 2004-05-01 16:36:09 ---- Created an attachment (id=646) more involved patch... from Owl ------- Additional Comments From rok.papez 2004-05-02 00:21:49 ---- I've prepared new rpms with OWL patches: http://rok.iprom.si/~rok/fedora_legacy/ 5eb98741f9f38a0c870c5a9d8b5eb780 sysklogd-1.4.1-14.legacy.9.i386.rpm 32ec7a2f2d858e37f6232f01cdc0cfff sysklogd-1.4.1-14.legacy.9.src.rpm I did a CI and owl patch seems fine/better. ------- Additional Comments From jonny.strom 2004-05-02 00:38:05 ---- I tested the rpm's from http://rok.iprom.si/~rok/fedora_legacy/ with the more complete owl patch, and syslog is working as expected. ------- Additional Comments From bugs.michael 2004-05-02 02:23:12 ---- In reply to comment 6, the patch cleans up the code a bit, but doesn't add more safety. E.g. the "while (*p &&" near the top. p is never zero, because getopt requires an argument. If it were possible for p to be zero, the p[0] in the next while statement [and beyond] would be disastrous. The exit(0) -> exit(1) change is nice, but paranoid. ------- Additional Comments From jonny.strom 2004-05-02 06:38:52 ---- An uppdate for Redhat 7.3 is avalible that includes the more complete owl patch: The uppdate can be downloaded from here: http://av8.netikka.fi/~johnny/fedora_legacy/rh73/ http://213.250.83.8/~johnny/fedora_legacy/rh73/sysklogd-1.4.1-9.legacy.i386.rpm e9a52bf14f0ef005ac614789f2fe36f6 http://213.250.83.8/~johnny/fedora_legacy/rh73/sysklogd-1.4.1-9.legacy.src.rpm aaec8729b03768ee2f4696f06fcddc8a http://213.250.83.8/~johnny/fedora_legacy/rh73/sysklogd-crunchlist-owl.patch 6c093547189ee28fae019710e53c4aee Basic testing was done and sysklogd is working as expected. ------- Additional Comments From villegas.edu 2004-05-05 04:25:17 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I QA'ed the package referred in comment 5 (R: 14.legacy.9): 1. Sources are same as on RH9 release. 2. Spec is clean (safe) and based on the RH9 one. builds clean 3. Installs (upgrades) clean, works as expected. I vote for publish. Carlos -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAmPjjnACJnHU2u1ERAjYmAKCHteWHAaeuTYiOqT5/ltQmzBdbSACdEYNP lt5ZT94jqLuLbKmaetSotNc= =Q0iQ -----END PGP SIGNATURE----- ------- Additional Comments From bugs.michael 2004-05-05 04:32:37 ---- There is no package in comment 5. And since there are two different packages for rh9, please include URL and MD5 checksum of the package you refer to. ------- Additional Comments From bugs.michael 2004-05-05 04:33:32 ---- Carlos, adding you to Cc since previous comment was addressed to you. ------- Additional Comments From villegas.edu 2004-05-05 04:39:48 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry about that, I meant comment 7..., the MD5 is: 32ec7a2f2d858e37f6232f01cdc0cfff sysklogd-1.4.1-14.legacy.9.src.rpm From: http://rok.iprom.si/~rok/fedora_legacy/ Also by Jessee's request yesterday on the mailing list, I'm adding sha1: 4eee546bbbe5a2b27bd17ad2f24515480de3b284 sysklogd-1.4.1-14.legacy.9.src.rpm Carlos -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAmPyKnACJnHU2u1ERAhMsAJ4rxqp5A8014K2vtCetA97RlmGBkgCeOkM3 oeaeOfyW7zdb4lcuwLzmJG4= =1W6o -----END PGP SIGNATURE----- ------- Additional Comments From bugs.michael 2004-05-05 07:22:09 ---- Two publish votes for rh9 package. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SHA1 4eee546bbbe5a2b27bd17ad2f24515480de3b284 sysklogd-1.4.1-14.legacy.9.src.rpm * src.rpm is signed * sources have not changed * patch is the same than linked by Bill Nottingham * proof-read patch (I was wrong about the *p check in comment 9) ++PUBLISH * %release should _not_ be higher than 13, because 1.4.1-13 is the sysklogd package from Fedora Core 1. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAmSJ30iMVcrivHFQRArLCAJ9xOLr06jO/6WMA1X8mxVSydaY7DQCfQz0q s76BGJaRmsGiSWFl4MsolW0= =YrGy -----END PGP SIGNATURE----- ------- Additional Comments From bugs.michael 2004-05-05 08:58:16 ---- Btw, the package difference between rh73 and rh9 is that the tarball in the rh73 package strip-installs the binaries. This was dropped in new releases. So, the legacy update at http://rok.iprom.si/~rok/fedora_legacy/sysklogd-1.4.1-14.legacy.9.src.rpm can be used for rh73, rh80 and rh9. The tarball in the rh72 package is a much older one. ------- Additional Comments From jkeating 2004-05-06 19:37:45 ---- strange, the tarball in 7.2 is older? They all have the same 1.4.1 base release, which would assume the same tarball, is this not true? ------- Additional Comments From skvidal.edu 2004-05-06 19:39:46 ---- md5sum it - I'm pretty sure it changes a bit as it goes on it's rh's on tree of syslogd ------- Additional Comments From bugs.michael 2004-05-07 01:57:43 ---- The console log level was changed between rh72 and rh73, for instance. Also see ./redhat/ChangeLog in the tarball. ------- Additional Comments From jkeating 2004-06-16 16:17:15 ---- Pushed to updates-testing: http://download.fedoralegacy.org/redhat/ 3f8e285b96ae0edac5e13ac79ac399370273aabf 7.3/updates-testing/SRPMS/sysklogd-1.4.1-14.legacy.7x.src.rpm f0f67bd5db849a382f6535363b6233f8e72a45c5 7.3/updates-testing/i386/sysklogd-1.4.1-14.legacy.7x.i386.rpm ed1462e72e4ab23e7bb3ec270a4df7fa3216dd5e 9/updates-testing/SRPMS/sysklogd-1.4.1-14.legacy.9.src.rpm 9a5972d1b3485c875b8f57b7b277341a74958d4b 9/updates-testing/i386/sysklogd-1.4.1-14.legacy.9.i386.rpm ------- Additional Comments From rmy.uk 2004-06-18 00:00:51 ---- -----BEGIN PGP SIGNED MESSAGE----- I've installed the rh7x RPM on four machines. All of them are working happily. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iQCVAwUBQNK9Mh2/joqPEUdFAQHiiAP+N7c7S8u+oaUZiSXeL47zVIbu5JdkqS3j bCCWCj8ShHs4tp0nFP0ngE0fpzz/tv8V9qn+s7cVgjQuSQFnYxblE19ED5VyS4jy serCvIk3d1v75cciHAOBq6y559oPzcXvodBbWbcmJdJDHD5HW3zh154Zt9RWdhM/ fgBvbHpbycg= =acpt -----END PGP SIGNATURE----- ------- Additional Comments From villegas.edu 2004-06-18 04:31:32 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've been using sysklogd-1.4.1-14.legacy.9 on a couple of RH9 boxes since it was released to updates-testing, everything is working as expected. Carlos -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFA0vyinACJnHU2u1ERAhArAKCKid/CZ95v8AHnMrSWW+dDyiOoVgCgwDD4 8FPYJe+tZ51y5UVuZzoLabc= =2tBB -----END PGP SIGNATURE----- ------- Additional Comments From dom 2004-06-21 06:46:31 ---- 1.4.1-14.legacy.7x installs and runs fine on rh7.3. ------- Bug moved to this database by dkl 2005-03-30 18:24 ------- This bug previously known as bug 1553 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=1553 Originally filed under the Fedora Legacy product and Package request component. Attachments: more involved patch... from Owl https://bugzilla.fedora.us/attachment.cgi?action=view&id=646 Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.