1 |
polynomial-c 14/10/04 09:21:57 |
2 |
|
3 |
Added: sysklogd-1.5_CVE-2014-3634.diff |
4 |
Log: |
5 |
Security bump (bug #524058). Remote syslog PRI vulnerability (CVE-2014-3634). Removed old |
6 |
|
7 |
(Portage version: 2.2.14_rc1/cvs/Linux x86_64, signed Manifest commit with key 0x981CA6FC) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 app-admin/sysklogd/files/sysklogd-1.5_CVE-2014-3634.diff |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sysklogd/files/sysklogd-1.5_CVE-2014-3634.diff?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sysklogd/files/sysklogd-1.5_CVE-2014-3634.diff?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: sysklogd-1.5_CVE-2014-3634.diff |
16 |
=================================================================== |
17 |
From 43797330e75d7d4687b7ae6926a996c3c85c2679 Mon Sep 17 00:00:00 2001 |
18 |
From: mancha <mancha1 AT zoho DOT com> |
19 |
Date: Wed, 1 Oct 2014 |
20 |
Subject: CVE-2014-3634 |
21 |
|
22 |
Rainer Gerhards, rsyslog project leader, discovered an issue in rsyslogd |
23 |
where invalid priority values can trigger DoS and potentially RCE. |
24 |
|
25 |
As his analysis reveals, the cause of the problem identified in rsyslog's |
26 |
rsyslogd also exists in sysklogd's syslogd (from which rsyslogd was forked) |
27 |
and stems from the use of a (LOG_FACMASK|LOG_PRIMASK) mask to detect invalid |
28 |
priority values. |
29 |
|
30 |
In sysklogd's syslogd, invalid priority values between 192 and 1023 (directly |
31 |
or arrived at via overflow wraparound) can propagate through code causing |
32 |
out-of-bounds access to the f_pmask array within the 'filed' structure by up |
33 |
to 104 bytes past its end. Though most likely insufficient to reach |
34 |
unallocated memory because there are around 544 bytes past f_pmask in 'filed' |
35 |
(mod packing and other differences), incorrect access of fields at higher |
36 |
positions of the 'filed' structure definition can cause unexpected behavior |
37 |
including message mis-classification, forwarding issues, message loss, |
38 |
or other. |
39 |
|
40 |
This patch imposes a restriction on PRI message parts and requires they |
41 |
be properly-delimited priority value strings that have non-negative |
42 |
numerical values not exceeding 191. As before, sysklogd's syslogd permits |
43 |
zero padding to not break compatibility with RFC-non-compliant loggers that |
44 |
issue PRIs such as <0091>. Messages without well-formed PRI parts get |
45 |
logged with priority user.notice (13). (c.f. RFC 3164) |
46 |
|
47 |
Thanks to Rainer Gerhards for the initial report and analysis. |
48 |
|
49 |
[1] http://www.rsyslog.com/remote-syslog-pri-vulnerability/ |
50 |
[2] http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/ |
51 |
|
52 |
--- |
53 |
syslogd.c | 25 +++++++++++++++++++------ |
54 |
1 file changed, 19 insertions(+), 6 deletions(-) |
55 |
|
56 |
--- a/syslogd.c |
57 |
+++ b/syslogd.c |
58 |
@@ -632,6 +632,8 @@ int funix[MAXFUNIX] = { -1, }; |
59 |
#define TABLE_ALLPRI 0xFF /* Value to indicate all priorities in f_pmask */ |
60 |
#define LOG_MARK LOG_MAKEPRI(LOG_NFACILITIES, 0) /* mark "facility" */ |
61 |
|
62 |
+#define MAX_PRI 191 /* Maximum Priority per RFC 3164 */ |
63 |
+ |
64 |
/* |
65 |
* Flags to logmsg(). |
66 |
*/ |
67 |
@@ -1491,23 +1493,34 @@ void printline(hname, msg) |
68 |
register char *p, *q; |
69 |
register unsigned char c; |
70 |
char line[MAXLINE + 1]; |
71 |
- int pri; |
72 |
+ unsigned int pri; // Valid Priority values are 0-191 |
73 |
+ int prilen=0; // Track Priority value string len |
74 |
+ int msglen; |
75 |
|
76 |
/* test for special codes */ |
77 |
+ msglen=strlen(msg); |
78 |
pri = DEFUPRI; |
79 |
p = msg; |
80 |
|
81 |
if (*p == '<') { |
82 |
pri = 0; |
83 |
- while (isdigit(*++p)) |
84 |
- { |
85 |
- pri = 10 * pri + (*p - '0'); |
86 |
+ while (--msglen > 0 && isdigit((unsigned char)*++p) && |
87 |
+ pri <= MAX_PRI) { |
88 |
+ pri = 10 * pri + (*p - '0'); |
89 |
+ prilen++; |
90 |
} |
91 |
- if (*p == '>') |
92 |
+ if (*p == '>' && prilen) |
93 |
++p; |
94 |
+ else { |
95 |
+ pri = DEFUPRI; |
96 |
+ p = msg; |
97 |
+ } |
98 |
} |
99 |
- if (pri &~ (LOG_FACMASK|LOG_PRIMASK)) |
100 |
+ |
101 |
+ if ((pri &~ (LOG_FACMASK|LOG_PRIMASK)) || (pri > MAX_PRI)) { |
102 |
pri = DEFUPRI; |
103 |
+ p = msg; |
104 |
+ } |
105 |
|
106 |
memset (line, 0, sizeof(line)); |
107 |
q = line; |