[syslog-ng]Security: syslog-ng 1.4.x and 1.5.x is vulnerable to
buffer overflow
William Yodlowsky
wyodlows@andromeda.rutgers.edu
Fri, 04 Oct 2002 09:44:55 -0400
Balazs Scheidler <bazsi@balabit.hu> wrote:
> On Fri, Oct 04, 2002 at 12:24:49AM -0400, William Yodlowsky wrote:
> > #0 0xff141f74 in realfree () from /usr/lib/libc.so.1
> > #1 0xff142880 in cleanfree () from /usr/lib/libc.so.1
> > #2 0xff1419b4 in _malloc_unlocked () from /usr/lib/libc.so.1
> > #3 0xff1418a8 in malloc () from /usr/lib/libc.so.1
> > #4 0x2abf8 in xalloc ()
> > #5 0x2adc0 in ol_space_alloc ()
> > #6 0x199c0 in make_log_info ()
> > #7 0x1628c in do_handle_line ()
> > #8 0x16750 in do_read_line ()
> > #9 0x28e9c in read_callback ()
> > #10 0x28b78 in io_iter ()
> > #11 0x1548c in main_loop ()
> > #12 0x1607c in main ()
> > (gdb) The program is running. Exit anyway? (y or n) y
> > #
> >
> > If there's a way I can help in debugging this further, please let me
> > know. I refrain from posting my config file because it's quite large
> > (over 100 lines).
>
> Hmm.. I've started syslog-ng on a solaris 8 system. It started and seems to
> work. I try to send log traffic to it, but at first I was unable to
> reproduce the problem. (the system I run it on is a Sun Ultra II with two
> 300 MHz processors and 768 MB RAM)
>
> The fact that it segfaults in malloc() seems to indicate that there's a
> problem in syslog-ng (double free, overwritten memory block chains or
> something)
Some more info...
* 1.5.13 runs flawlessly on that system
* Our syslog clients seem to work fine (minimal config file)
* Central syslog server segfaults (I know kondou@isc.org mentioned that it
was their central server too)
Since I haven't tried running 1.5.14-1.5.20 I'm going to give them a try
to see if the problem is in one of those previous releases. That may
make it easier to track down.
Thanks!