[syslog-ng]Security: syslog-ng 1.4.x and 1.5.x is vulnerable to buffer overflow
Balazs Scheidler
bazsi@balabit.hu
Thu, 10 Oct 2002 10:31:17 +0200
On Wed, Oct 09, 2002 at 12:27:24PM -0400, William Yodlowsky wrote:
> William Yodlowsky <wyodlows@andromeda.rutgers.edu> wrote:
>
> Ok let me update again (sorry for the multiple posts):
>
> Retested in production:
>
> libol-0.3.2 & syslog-ng-1.5.17 - works fine
>
> libol-0.3.3 & syslog-ng-1.5.18 - build failed, untested
> libol-0.3.3 & syslog-ng-1.5.19 - segfaults in production
> libol-0.3.3 & syslog-ng-1.5.20 - segfaults in production
> libol-0.3.3 & syslog-ng-1.5.21 - segfaults in production
>
> libol-0.3.2 & syslog-ng-1.5.21 - segfaults in production
>
> So, it seems the bug is in syslog-ng, introduced somewhere between
> 1.5.17 and 1.5.19. I'll see if I can get 1.5.18 to build to narrow it
> down even further.
My suspicion is this code:
void do_destroy_afinet_dest(struct log_handler *c, struct syslog_config
*cfg, struct persistent_config *persistent)
{
CAST(afinet_dest, self, c);
if (self->conn_fd) {
/* KILL_RESOURCE(&self->conn_fd->super.super); */
closekill_fd(&self->conn_fd->super, 0);
self->conn_fd = NULL;
}
}
1.5.17 had the commented out version, anything since 1.5.18 has the
closekill_fd version.
This code path is only used _iff_ a HUP is sent to syslog-ng. Is the
segfault triggered by sending a HUP to the process, or it is simply crashing
without HUP?
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1