[syslog-ng]Security: syslog-ng 1.4.x and 1.5.x is vulnerable to
buffer overflow
William Yodlowsky
wyodlows@andromeda.rutgers.edu
Wed, 09 Oct 2002 12:27:24 -0400
William Yodlowsky <wyodlows@andromeda.rutgers.edu> wrote:
Ok let me update again (sorry for the multiple posts):
Retested in production:
libol-0.3.2 & syslog-ng-1.5.17 - works fine
libol-0.3.3 & syslog-ng-1.5.18 - build failed, untested
libol-0.3.3 & syslog-ng-1.5.19 - segfaults in production
libol-0.3.3 & syslog-ng-1.5.20 - segfaults in production
libol-0.3.3 & syslog-ng-1.5.21 - segfaults in production
libol-0.3.2 & syslog-ng-1.5.21 - segfaults in production
So, it seems the bug is in syslog-ng, introduced somewhere between
1.5.17 and 1.5.19. I'll see if I can get 1.5.18 to build to narrow it
down even further.