Bug 709088 (CVE-2011-1951) - CVE-2011-1951 syslog-ng: DoS (excessive memory use) by processing certain pcre patterns
Summary: CVE-2011-1951 syslog-ng: DoS (excessive memory use) by processing certain pcr...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-1951
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 709092 709093
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-30 15:13 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:45 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-01 12:19:45 UTC
Embargoed:


Attachments (Terms of Use)

Description Jan Lieskovsky 2011-05-30 15:13:24 UTC
A denial of service flaw was found in the way syslog-ng processed
certain log patterns, when 'global' flag was speficied and PCRE backend
was used for matching. A remote attacker could use this flaw to
cause excessive memory use by the syslog-ng process via specially-crafted
pattern.

References:
[1] http://www.securityfocus.com/bid/47800/info
[2] https://lists.balabit.hu/pipermail/syslog-ng/2011-May/016576.html

Upstream patch:
[3] http://git.balabit.hu/?p=bazsi/syslog-ng-3.2.git;a=commit;h=09710c0b105e579d35c7b5f6c66d1ea5e3a3d3ff

Comment 1 Jan Lieskovsky 2011-05-30 15:14:40 UTC
CVE Request:
[4] http://www.openwall.com/lists/oss-security/2011/05/26/1

Comment 2 Jan Lieskovsky 2011-05-30 15:16:07 UTC
This issue affects the versions of the syslog-ng package, as shipped with
Fedora release of 13 and 14.

This issue does not affect the version of the syslog-ng package, as shipped
with Fedora 15 and as present within EPEL-6 repository. Those versions were
already updated to upstream v3.2.4 version, addressing this vulnerability.

Comment 3 Jan Lieskovsky 2011-05-30 15:17:18 UTC
Created syslog-ng tracking bugs for this issue

Affects: fedora-14 [bug 709092]
Affects: fedora-13 [bug 709093]

Comment 4 Vincent Danen 2011-05-31 15:56:27 UTC
The report indicates that this only affects syslog-ng when used with a newer pcre (8.12 or higher); we only have pcre 8.12 in Fedora 15.  In Fedora 14 we have 8.10 and in Fedora 13 we have 7.8, so this issue should not affect on those platforms unless they upgrade pcre.

Since it's unlikely that Fedora 13 will upgrade pcre at this point (although it might be possible yet for Fedora 14), I'm going to close the Fedora 13 tracker, but will keep the Fedora 14 tracker open.

Comment 5 Jan Lieskovsky 2011-06-01 16:08:56 UTC
The CVE identifier of CVE-2011-1951 has been assigned to this issue.

Comment 6 Jan Lieskovsky 2011-06-01 16:18:58 UTC
(In reply to comment #4)
> The report indicates that this only affects syslog-ng when used with a newer
> pcre (8.12 or higher); we only have pcre 8.12 in Fedora 15.  In Fedora 14 we
> have 8.10 and in Fedora 13 we have 7.8, so this issue should not affect on
> those platforms unless they upgrade pcre.

The syslog-ng v3.2.4 announcement:
[1] https://lists.balabit.hu/pipermail/syslog-ng/2011-May/016576.html

mentions it's hypothetically possible this may affect older versions too:

"It is triggered by PCRE 8.12, but could potentially affect older versions too."

Though not sure, how much that upstream statement being valid (didn't try it),
would recommend to update all Fedora versions (i.e. also F-13 and F-14) just
for case, there is some way how to trigger this. Only due the fact to be
sure and on the safe side.

> 
> Since it's unlikely that Fedora 13 will upgrade pcre at this point (although it
> might be possible yet for Fedora 14), I'm going to close the Fedora 13 tracker,
> but will keep the Fedora 14 tracker open.

Comment 7 Jose Pedro Oliveira 2011-06-17 03:07:53 UTC
Upstream patch for syslog-ng 3.1:

 * http://git.balabit.hu/?p=bazsi/syslog-ng-3.1.git;a=commitdiff;h=35de55e53dd653c50c8da5daf41a99ab22e7e8aa

Comment 9 Jose Pedro Oliveira 2011-08-01 12:19:45 UTC
Closing ticket (errata information for F13 and F14 available in tickets #709092 and #709093).


Note You need to log in before you can comment on or make changes to this bug.