A denial of service flaw was found in the way syslog-ng processed certain log patterns, when 'global' flag was speficied and PCRE backend was used for matching. A remote attacker could use this flaw to cause excessive memory use by the syslog-ng process via specially-crafted pattern. References: [1] http://www.securityfocus.com/bid/47800/info [2] https://lists.balabit.hu/pipermail/syslog-ng/2011-May/016576.html Upstream patch: [3] http://git.balabit.hu/?p=bazsi/syslog-ng-3.2.git;a=commit;h=09710c0b105e579d35c7b5f6c66d1ea5e3a3d3ff
CVE Request: [4] http://www.openwall.com/lists/oss-security/2011/05/26/1
This issue affects the versions of the syslog-ng package, as shipped with Fedora release of 13 and 14. This issue does not affect the version of the syslog-ng package, as shipped with Fedora 15 and as present within EPEL-6 repository. Those versions were already updated to upstream v3.2.4 version, addressing this vulnerability.
Created syslog-ng tracking bugs for this issue Affects: fedora-14 [bug 709092] Affects: fedora-13 [bug 709093]
The report indicates that this only affects syslog-ng when used with a newer pcre (8.12 or higher); we only have pcre 8.12 in Fedora 15. In Fedora 14 we have 8.10 and in Fedora 13 we have 7.8, so this issue should not affect on those platforms unless they upgrade pcre. Since it's unlikely that Fedora 13 will upgrade pcre at this point (although it might be possible yet for Fedora 14), I'm going to close the Fedora 13 tracker, but will keep the Fedora 14 tracker open.
The CVE identifier of CVE-2011-1951 has been assigned to this issue.
(In reply to comment #4) > The report indicates that this only affects syslog-ng when used with a newer > pcre (8.12 or higher); we only have pcre 8.12 in Fedora 15. In Fedora 14 we > have 8.10 and in Fedora 13 we have 7.8, so this issue should not affect on > those platforms unless they upgrade pcre. The syslog-ng v3.2.4 announcement: [1] https://lists.balabit.hu/pipermail/syslog-ng/2011-May/016576.html mentions it's hypothetically possible this may affect older versions too: "It is triggered by PCRE 8.12, but could potentially affect older versions too." Though not sure, how much that upstream statement being valid (didn't try it), would recommend to update all Fedora versions (i.e. also F-13 and F-14) just for case, there is some way how to trigger this. Only due the fact to be sure and on the safe side. > > Since it's unlikely that Fedora 13 will upgrade pcre at this point (although it > might be possible yet for Fedora 14), I'm going to close the Fedora 13 tracker, > but will keep the Fedora 14 tracker open.
Upstream patch for syslog-ng 3.1: * http://git.balabit.hu/?p=bazsi/syslog-ng-3.1.git;a=commitdiff;h=35de55e53dd653c50c8da5daf41a99ab22e7e8aa
Relevant mailing list thread (and mails): * [syslog-ng] rewrite problem https://lists.balabit.hu/pipermail/syslog-ng/2011-April/016444.html https://lists.balabit.hu/pipermail/syslog-ng/2011-May/016503.html https://lists.balabit.hu/pipermail/syslog-ng/2011-May/016537.html
Closing ticket (errata information for F13 and F14 available in tickets #709092 and #709093).