[gentoo-commits] gentoo-x86 commit in app-admin/sysklogd/files: sysklogd-1.5_CVE-2014-3634.diff - gentoo-commits

From:	"Lars Wendler (polynomial-c)" <polynomial-c@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in app-admin/sysklogd/files: sysklogd-1.5_CVE-2014-3634.diff
Date:	Sat, 04 Oct 2014 09:22:01
Message-Id:	`20141004092157.968F46EC4@oystercatcher.gentoo.org`

1

polynomial-c    14/10/04 09:21:57

2

3

  Added:                sysklogd-1.5_CVE-2014-3634.diff

4

  Log:

5

  Security bump (bug #524058). Remote syslog PRI vulnerability (CVE-2014-3634). Removed old

6

7

  (Portage version: 2.2.14_rc1/cvs/Linux x86_64, signed Manifest commit with key 0x981CA6FC)

8

9

Revision  Changes    Path

10

1.1                  app-admin/sysklogd/files/sysklogd-1.5_CVE-2014-3634.diff

11

12

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sysklogd/files/sysklogd-1.5_CVE-2014-3634.diff?rev=1.1&view=markup

13

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sysklogd/files/sysklogd-1.5_CVE-2014-3634.diff?rev=1.1&content-type=text/plain

14

15

Index: sysklogd-1.5_CVE-2014-3634.diff

16

===================================================================

17

From 43797330e75d7d4687b7ae6926a996c3c85c2679 Mon Sep 17 00:00:00 2001

18

From: mancha <mancha1 AT zoho DOT com>

19

Date: Wed, 1 Oct 2014

20

Subject: CVE-2014-3634

21

22

Rainer Gerhards, rsyslog project leader, discovered an issue in rsyslogd

23

where invalid priority values can trigger DoS and potentially RCE.

24

25

As his analysis reveals, the cause of the problem identified in rsyslog's

26

rsyslogd also exists in sysklogd's syslogd (from which rsyslogd was forked)

27

and stems from the use of a (LOG_FACMASK|LOG_PRIMASK) mask to detect invalid

28

priority values.

29

30

In sysklogd's syslogd, invalid priority values between 192 and 1023 (directly

31

or arrived at via overflow wraparound) can propagate through code causing

32

out-of-bounds access to the f_pmask array within the 'filed' structure by up

33

to 104 bytes past its end. Though most likely insufficient to reach

34

unallocated memory because there are around 544 bytes past f_pmask in 'filed'

35

(mod packing and other differences), incorrect access of fields at higher

36

positions of the 'filed' structure definition can cause unexpected behavior

37

including message mis-classification, forwarding issues, message loss,

38

or other.

39

40

This patch imposes a restriction on PRI message parts and requires they

41

be properly-delimited priority value strings that have non-negative

42

numerical values not exceeding 191. As before, sysklogd's syslogd permits

43

zero padding to not break compatibility with RFC-non-compliant loggers that

44

issue PRIs such as <0091>. Messages without well-formed PRI parts get

45

logged with priority user.notice (13). (c.f. RFC 3164)

46

47

Thanks to Rainer Gerhards for the initial report and analysis.

48

49

[1] http://www.rsyslog.com/remote-syslog-pri-vulnerability/

50

[2] http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/

51

52

---

53

 syslogd.c |   25 +++++++++++++++++++------

54

 1 file changed, 19 insertions(+), 6 deletions(-)

55

56

--- a/syslogd.c

57

+++ b/syslogd.c

58

@@ -632,6 +632,8 @@ int funix[MAXFUNIX] = { -1, };

59

 #define TABLE_ALLPRI    0xFF    /* Value to indicate all priorities in f_pmask */

60

 #define	LOG_MARK	LOG_MAKEPRI(LOG_NFACILITIES, 0)	/* mark "facility" */

61

62

+#define MAX_PRI		191	/* Maximum Priority per RFC 3164 */

63

+

64

/*

65

  * Flags to logmsg().

66

*/

67

@@ -1491,23 +1493,34 @@ void printline(hname, msg)

68

 	register char *p, *q;

69

 	register unsigned char c;

70

 	char line[MAXLINE + 1];

71

-	int pri;

72

+	unsigned int pri;       	// Valid Priority values are 0-191

73

+	int prilen=0;			// Track Priority value string len

74

+	int msglen;

75

76

 	/* test for special codes */

77

+	msglen=strlen(msg);

78

 	pri = DEFUPRI;

79

 	p = msg;

80

81

 	if (*p == '<') {

82

 		pri = 0;

83

-		while (isdigit(*++p))

84

-		{

85

-		   pri = 10 * pri + (*p - '0');

86

+		while (--msglen > 0 && isdigit((unsigned char)*++p) &&

87

+		      			pri <= MAX_PRI) {

88

+			pri = 10 * pri + (*p - '0');

89

+			prilen++;

90

}

91

-		if (*p == '>')

92

+		if (*p == '>' && prilen)

93

 			++p;

94

+		else {

95

+			pri = DEFUPRI;

96

+			p = msg;

97

+		}

98

}

99

-	if (pri &~ (LOG_FACMASK|LOG_PRIMASK))

100

+

101

+	if ((pri &~ (LOG_FACMASK|LOG_PRIMASK)) || (pri > MAX_PRI)) {

102

 		pri = DEFUPRI;

103

+		p = msg;

104

+	}

105

106

 	memset (line, 0, sizeof(line));

107

 	q = line;

1	polynomial-c 14/10/04 09:21:57
2
3	Added: sysklogd-1.5_CVE-2014-3634.diff
4	Log:
5	Security bump (bug #524058). Remote syslog PRI vulnerability (CVE-2014-3634). Removed old
6
7	(Portage version: 2.2.14_rc1/cvs/Linux x86_64, signed Manifest commit with key 0x981CA6FC)
8
9	Revision Changes Path
10	1.1 app-admin/sysklogd/files/sysklogd-1.5_CVE-2014-3634.diff
11
12	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sysklogd/files/sysklogd-1.5_CVE-2014-3634.diff?rev=1.1&view=markup
13	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sysklogd/files/sysklogd-1.5_CVE-2014-3634.diff?rev=1.1&content-type=text/plain
14
15	Index: sysklogd-1.5_CVE-2014-3634.diff
16	===================================================================
17	From 43797330e75d7d4687b7ae6926a996c3c85c2679 Mon Sep 17 00:00:00 2001
18	From: mancha <mancha1 AT zoho DOT com>
19	Date: Wed, 1 Oct 2014
20	Subject: CVE-2014-3634
21
22	Rainer Gerhards, rsyslog project leader, discovered an issue in rsyslogd
23	where invalid priority values can trigger DoS and potentially RCE.
24
25	As his analysis reveals, the cause of the problem identified in rsyslog's
26	rsyslogd also exists in sysklogd's syslogd (from which rsyslogd was forked)
27	and stems from the use of a (LOG_FACMASK\|LOG_PRIMASK) mask to detect invalid
28	priority values.
29
30	In sysklogd's syslogd, invalid priority values between 192 and 1023 (directly
31	or arrived at via overflow wraparound) can propagate through code causing
32	out-of-bounds access to the f_pmask array within the 'filed' structure by up
33	to 104 bytes past its end. Though most likely insufficient to reach
34	unallocated memory because there are around 544 bytes past f_pmask in 'filed'
35	(mod packing and other differences), incorrect access of fields at higher
36	positions of the 'filed' structure definition can cause unexpected behavior
37	including message mis-classification, forwarding issues, message loss,
38	or other.
39
40	This patch imposes a restriction on PRI message parts and requires they
41	be properly-delimited priority value strings that have non-negative
42	numerical values not exceeding 191. As before, sysklogd's syslogd permits
43	zero padding to not break compatibility with RFC-non-compliant loggers that
44	issue PRIs such as <0091>. Messages without well-formed PRI parts get
45	logged with priority user.notice (13). (c.f. RFC 3164)
46
47	Thanks to Rainer Gerhards for the initial report and analysis.
48
49	[1] http://www.rsyslog.com/remote-syslog-pri-vulnerability/
50	[2] http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/
51
52	---
53	syslogd.c \| 25 +++++++++++++++++++------
54	1 file changed, 19 insertions(+), 6 deletions(-)
55
56	--- a/syslogd.c
57	+++ b/syslogd.c
58	@@ -632,6 +632,8 @@ int funix[MAXFUNIX] = { -1, };
59	#define TABLE_ALLPRI 0xFF /* Value to indicate all priorities in f_pmask */
60	#define LOG_MARK LOG_MAKEPRI(LOG_NFACILITIES, 0) /* mark "facility" */
61
62	+#define MAX_PRI 191 /* Maximum Priority per RFC 3164 */
63	+
64	/*
65	* Flags to logmsg().
66	*/
67	@@ -1491,23 +1493,34 @@ void printline(hname, msg)
68	register char p, q;
69	register unsigned char c;
70	char line[MAXLINE + 1];
71	- int pri;
72	+ unsigned int pri; // Valid Priority values are 0-191
73	+ int prilen=0; // Track Priority value string len
74	+ int msglen;
75
76	/* test for special codes */
77	+ msglen=strlen(msg);
78	pri = DEFUPRI;
79	p = msg;
80
81	if (*p == '<') {
82	pri = 0;
83	- while (isdigit(*++p))
84	- {
85	- pri = 10 * pri + (*p - '0');
86	+ while (--msglen > 0 && isdigit((unsigned char)*++p) &&
87	+ pri <= MAX_PRI) {
88	+ pri = 10 * pri + (*p - '0');
89	+ prilen++;
90	}
91	- if (*p == '>')
92	+ if (*p == '>' && prilen)
93	++p;
94	+ else {
95	+ pri = DEFUPRI;
96	+ p = msg;
97	+ }
98	}
99	- if (pri &~ (LOG_FACMASK\|LOG_PRIMASK))
100	+
101	+ if ((pri &~ (LOG_FACMASK\|LOG_PRIMASK)) \|\| (pri > MAX_PRI)) {
102	pri = DEFUPRI;
103	+ p = msg;
104	+ }
105
106	memset (line, 0, sizeof(line));
107	q = line;

Gentoo Archives: gentoo-commits