diff --git a/sysklogd/.md5sum b/sysklogd/.md5sum index 58f46c54..b0bf5206 100644 --- a/sysklogd/.md5sum +++ b/sysklogd/.md5sum @@ -1,5 +1,6 @@ 41dfad9077311e159c793216adf90723 rotatelog a1bb71ed6b0ce791cb7f9fa0089a09ef sysklogd e053094e8103165f98ddafe828f6ae4b sysklogd-1.5.tar.gz +b87e652115b7b2d0cd1615a2323fcfbe sysklogd-1.5_CVE-2014-3634.diff 844e5e75944beb8cf4f39a0535e56ba4 syslog f8d478b8d60c1d3879f4a10a955db6e5 syslog.conf diff --git a/sysklogd/Pkgfile b/sysklogd/Pkgfile index cd76fce4..379b8caa 100644 --- a/sysklogd/Pkgfile +++ b/sysklogd/Pkgfile @@ -4,13 +4,17 @@ name=sysklogd version=1.5 -release=5 +release=6 source=(http://www.ibiblio.org/pub/Linux/system/daemons/$name-$version.tar.gz \ - rotatelog syslog syslog.conf sysklogd) + rotatelog syslog syslog.conf sysklogd + $name-${version}_CVE-2014-3634.diff) build() { cd $name-$version + # http://seclists.org/oss-sec/2014/q4/79 + patch -p1 -i $SRC/$name-${version}_CVE-2014-3634.diff + # don't try to fclose(NULL) sed -i -e '192d' ksym_mod.c diff --git a/sysklogd/sysklogd-1.5_CVE-2014-3634.diff b/sysklogd/sysklogd-1.5_CVE-2014-3634.diff new file mode 100644 index 00000000..bc64756f --- /dev/null +++ b/sysklogd/sysklogd-1.5_CVE-2014-3634.diff @@ -0,0 +1,91 @@ +From 43797330e75d7d4687b7ae6926a996c3c85c2679 Mon Sep 17 00:00:00 2001 +From: mancha +Date: Wed, 1 Oct 2014 +Subject: CVE-2014-3634 + +Rainer Gerhards, rsyslog project leader, discovered an issue in rsyslogd +where invalid priority values can trigger DoS and potentially RCE. + +As his analysis reveals, the cause of the problem identified in rsyslog's +rsyslogd also exists in sysklogd's syslogd (from which rsyslogd was forked) +and stems from the use of a (LOG_FACMASK|LOG_PRIMASK) mask to detect invalid +priority values. + +In sysklogd's syslogd, invalid priority values between 192 and 1023 (directly +or arrived at via overflow wraparound) can propagate through code causing +out-of-bounds access to the f_pmask array within the 'filed' structure by up +to 104 bytes past its end. Though most likely insufficient to reach +unallocated memory because there are around 544 bytes past f_pmask in 'filed' +(mod packing and other differences), incorrect access of fields at higher +positions of the 'filed' structure definition can cause unexpected behavior +including message mis-classification, forwarding issues, message loss, +or other. + +This patch imposes a restriction on PRI message parts and requires they +be properly-delimited priority value strings that have non-negative +numerical values not exceeding 191. As before, sysklogd's syslogd permits +zero padding to not break compatibility with RFC-non-compliant loggers that +issue PRIs such as <0091>. Messages without well-formed PRI parts get +logged with priority user.notice (13). (c.f. RFC 3164) + +Thanks to Rainer Gerhards for the initial report and analysis. + +[1] http://www.rsyslog.com/remote-syslog-pri-vulnerability/ +[2] http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/ + +--- + syslogd.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/syslogd.c ++++ b/syslogd.c +@@ -632,6 +632,8 @@ int funix[MAXFUNIX] = { -1, }; + #define TABLE_ALLPRI 0xFF /* Value to indicate all priorities in f_pmask */ + #define LOG_MARK LOG_MAKEPRI(LOG_NFACILITIES, 0) /* mark "facility" */ + ++#define MAX_PRI 191 /* Maximum Priority per RFC 3164 */ ++ + /* + * Flags to logmsg(). + */ +@@ -1491,23 +1493,34 @@ void printline(hname, msg) + register char *p, *q; + register unsigned char c; + char line[MAXLINE + 1]; +- int pri; ++ unsigned int pri; // Valid Priority values are 0-191 ++ int prilen=0; // Track Priority value string len ++ int msglen; + + /* test for special codes */ ++ msglen=strlen(msg); + pri = DEFUPRI; + p = msg; + + if (*p == '<') { + pri = 0; +- while (isdigit(*++p)) +- { +- pri = 10 * pri + (*p - '0'); ++ while (--msglen > 0 && isdigit((unsigned char)*++p) && ++ pri <= MAX_PRI) { ++ pri = 10 * pri + (*p - '0'); ++ prilen++; + } +- if (*p == '>') ++ if (*p == '>' && prilen) + ++p; ++ else { ++ pri = DEFUPRI; ++ p = msg; ++ } + } +- if (pri &~ (LOG_FACMASK|LOG_PRIMASK)) ++ ++ if ((pri &~ (LOG_FACMASK|LOG_PRIMASK)) || (pri > MAX_PRI)) { + pri = DEFUPRI; ++ p = msg; ++ } + + memset (line, 0, sizeof(line)); + q = line;