[syslog-ng]Security: syslog-ng 1.4.x and 1.5.x is vulnerable to buffer overflow

Balazs Scheidler bazsi@balabit.hu
Fri, 27 Sep 2002 16:16:24 +0200


I'm writing this mail to announce that syslog-ng 1.4.x and 1.5.x are both
vulnerable to a buffer overflow. Exploiting the bug needs a site specific
exploit to be written, as the way the buffer is overwritten depends on the
local configuration file.

The buffer overflow can be triggered when templated output files or filename
templates are used.

Everybody is urged to upgrade to 1.4.16 or 1.5.21, these are available at
the usual place, http://www.balabit.hu/en/downloads/syslog-ng/downloads/

The bug was found be me, so possibly nobody else knows the details. Of
course diffing the new version with the previous one unveils the problem.

Bugtraq announcement will be sent out soon. Debian package has been
released and accepted (though mirrors need time to get the new one)

ps: sigh, this was my first BoF :(

PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1