sysklogd: update to 1.5.1
This commit is contained in:
parent
4572183b7b
commit
520dab34ad
@ -1,6 +1,5 @@
|
||||
41dfad9077311e159c793216adf90723 rotatelog
|
||||
a1bb71ed6b0ce791cb7f9fa0089a09ef sysklogd
|
||||
e053094e8103165f98ddafe828f6ae4b sysklogd-1.5.tar.gz
|
||||
b87e652115b7b2d0cd1615a2323fcfbe sysklogd-1.5_CVE-2014-3634.diff
|
||||
c70599ab0d037fde724f7210c2c8d7f8 sysklogd-1.5.1.tar.gz
|
||||
844e5e75944beb8cf4f39a0535e56ba4 syslog
|
||||
f8d478b8d60c1d3879f4a10a955db6e5 syslog.conf
|
||||
|
@ -3,21 +3,14 @@
|
||||
# Maintainer: CRUX System Team, core-ports at crux dot nu
|
||||
|
||||
name=sysklogd
|
||||
version=1.5
|
||||
release=6
|
||||
source=(http://www.ibiblio.org/pub/Linux/system/daemons/$name-$version.tar.gz \
|
||||
rotatelog syslog syslog.conf sysklogd
|
||||
$name-${version}_CVE-2014-3634.diff)
|
||||
version=1.5.1
|
||||
release=1
|
||||
source=(http://www.infodrom.org/projects/$name/download/$name-$version.tar.gz \
|
||||
rotatelog syslog syslog.conf sysklogd)
|
||||
|
||||
build() {
|
||||
cd $name-$version
|
||||
|
||||
# http://seclists.org/oss-sec/2014/q4/79
|
||||
patch -p1 -i $SRC/$name-${version}_CVE-2014-3634.diff
|
||||
|
||||
# don't try to fclose(NULL)
|
||||
sed -i -e '192d' ksym_mod.c
|
||||
|
||||
mkdir -p $PKG/usr/sbin \
|
||||
$PKG/etc/{cron/weekly,rc.d} \
|
||||
$PKG/var/log \
|
||||
|
@ -1,91 +0,0 @@
|
||||
From 43797330e75d7d4687b7ae6926a996c3c85c2679 Mon Sep 17 00:00:00 2001
|
||||
From: mancha <mancha1 AT zoho DOT com>
|
||||
Date: Wed, 1 Oct 2014
|
||||
Subject: CVE-2014-3634
|
||||
|
||||
Rainer Gerhards, rsyslog project leader, discovered an issue in rsyslogd
|
||||
where invalid priority values can trigger DoS and potentially RCE.
|
||||
|
||||
As his analysis reveals, the cause of the problem identified in rsyslog's
|
||||
rsyslogd also exists in sysklogd's syslogd (from which rsyslogd was forked)
|
||||
and stems from the use of a (LOG_FACMASK|LOG_PRIMASK) mask to detect invalid
|
||||
priority values.
|
||||
|
||||
In sysklogd's syslogd, invalid priority values between 192 and 1023 (directly
|
||||
or arrived at via overflow wraparound) can propagate through code causing
|
||||
out-of-bounds access to the f_pmask array within the 'filed' structure by up
|
||||
to 104 bytes past its end. Though most likely insufficient to reach
|
||||
unallocated memory because there are around 544 bytes past f_pmask in 'filed'
|
||||
(mod packing and other differences), incorrect access of fields at higher
|
||||
positions of the 'filed' structure definition can cause unexpected behavior
|
||||
including message mis-classification, forwarding issues, message loss,
|
||||
or other.
|
||||
|
||||
This patch imposes a restriction on PRI message parts and requires they
|
||||
be properly-delimited priority value strings that have non-negative
|
||||
numerical values not exceeding 191. As before, sysklogd's syslogd permits
|
||||
zero padding to not break compatibility with RFC-non-compliant loggers that
|
||||
issue PRIs such as <0091>. Messages without well-formed PRI parts get
|
||||
logged with priority user.notice (13). (c.f. RFC 3164)
|
||||
|
||||
Thanks to Rainer Gerhards for the initial report and analysis.
|
||||
|
||||
[1] http://www.rsyslog.com/remote-syslog-pri-vulnerability/
|
||||
[2] http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/
|
||||
|
||||
---
|
||||
syslogd.c | 25 +++++++++++++++++++------
|
||||
1 file changed, 19 insertions(+), 6 deletions(-)
|
||||
|
||||
--- a/syslogd.c
|
||||
+++ b/syslogd.c
|
||||
@@ -632,6 +632,8 @@ int funix[MAXFUNIX] = { -1, };
|
||||
#define TABLE_ALLPRI 0xFF /* Value to indicate all priorities in f_pmask */
|
||||
#define LOG_MARK LOG_MAKEPRI(LOG_NFACILITIES, 0) /* mark "facility" */
|
||||
|
||||
+#define MAX_PRI 191 /* Maximum Priority per RFC 3164 */
|
||||
+
|
||||
/*
|
||||
* Flags to logmsg().
|
||||
*/
|
||||
@@ -1491,23 +1493,34 @@ void printline(hname, msg)
|
||||
register char *p, *q;
|
||||
register unsigned char c;
|
||||
char line[MAXLINE + 1];
|
||||
- int pri;
|
||||
+ unsigned int pri; // Valid Priority values are 0-191
|
||||
+ int prilen=0; // Track Priority value string len
|
||||
+ int msglen;
|
||||
|
||||
/* test for special codes */
|
||||
+ msglen=strlen(msg);
|
||||
pri = DEFUPRI;
|
||||
p = msg;
|
||||
|
||||
if (*p == '<') {
|
||||
pri = 0;
|
||||
- while (isdigit(*++p))
|
||||
- {
|
||||
- pri = 10 * pri + (*p - '0');
|
||||
+ while (--msglen > 0 && isdigit((unsigned char)*++p) &&
|
||||
+ pri <= MAX_PRI) {
|
||||
+ pri = 10 * pri + (*p - '0');
|
||||
+ prilen++;
|
||||
}
|
||||
- if (*p == '>')
|
||||
+ if (*p == '>' && prilen)
|
||||
++p;
|
||||
+ else {
|
||||
+ pri = DEFUPRI;
|
||||
+ p = msg;
|
||||
+ }
|
||||
}
|
||||
- if (pri &~ (LOG_FACMASK|LOG_PRIMASK))
|
||||
+
|
||||
+ if ((pri &~ (LOG_FACMASK|LOG_PRIMASK)) || (pri > MAX_PRI)) {
|
||||
pri = DEFUPRI;
|
||||
+ p = msg;
|
||||
+ }
|
||||
|
||||
memset (line, 0, sizeof(line));
|
||||
q = line;
|
Loading…
Reference in New Issue
Block a user