Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 120453
Summary: | syslogd memory allocation error | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Steve Grubb <linux_4ever> | ||||
Component: | sysklogd | Assignee: | Bill Nottingham <notting> | ||||
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | rvokal | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | 1.4.1-16 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2004-05-03 21:57:49 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 114963 | ||||||
Attachments: |
|
Description
Steve Grubb
2004-04-08 21:22:39 UTC
Created attachment 99250 [details]
Patch that fixes the problem
Please apply before Fedora Core 2 final.
This should be security noted for fc1, also. Worthy of note to fedora legacy - this applies to rhl9 and probably rhl7.3 noted and patched in fedora legacy https://bugzilla.fedora.us/show_bug.cgi?id=1553 Note that this only affects crunch_args, which AFAIK is only called via commandline args. So not as much of a security issue. I think you underestimate this bug. The crunch list is returned to a global variable that is later used for strcmp's in the main select loop. The memory just beyond the crunch list is free to be reassigned by glibc. Eventually it will be written to and all the values change. Around line 2056 you see this code: while (LocalHosts[count]) { if (!strcmp(hp->h_name, LocalHosts[count])) { *p = '\0'; return (hp->h_name); } count++; } Guess what happens when you do a strcmp with a random number as a pointer? With syslogd down, a lot strange activity won't get recorded. People count on syslog to help provide an audit trail if something bad happens. It such a simple bug to fix...please apply the patch. Admittedly, you have to be using the -l or -s option, but why risk it? What I'm saying is that if it's only invoked on the commandline, then anyone maliciously invoking it already has root. A version of the patch will be applied, I'm just not seeing how it's a security vulnerability in and of itself. Fixed in 1.4.1-16. An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2004-348.html An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2004-335.html |