[syslog-ng]Security: syslog-ng 1.4.x and 1.5.x is vulnerable to buffer overflow

William Yodlowsky wyodlows@andromeda.rutgers.edu
Wed, 09 Oct 2002 12:27:24 -0400

William Yodlowsky <wyodlows@andromeda.rutgers.edu> wrote:

Ok let me update again (sorry for the multiple posts):

Retested in production:

libol-0.3.2 & syslog-ng-1.5.17 - works fine

libol-0.3.3 & syslog-ng-1.5.18 - build failed, untested
libol-0.3.3 & syslog-ng-1.5.19 - segfaults in production
libol-0.3.3 & syslog-ng-1.5.20 - segfaults in production
libol-0.3.3 & syslog-ng-1.5.21 - segfaults in production

libol-0.3.2 & syslog-ng-1.5.21 - segfaults in production

So, it seems the bug is in syslog-ng, introduced somewhere between 
1.5.17 and 1.5.19.  I'll see if I can get 1.5.18 to build to narrow it
down even further.