Your message dated Sun, 23 Nov 2008 21:17:12 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#505791: fixed in syslog-ng 2.0.9-4.1
has caused the Debian Bug report #505791,
regarding syslog-ng doesn't chdir before chroot
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
505791: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: syslog-ng
Version: 2.0.9-1ubuntu3
Severity: grave
Tags: security
Justification: user security hole
I have not had the time to analyze all of syslog-ng code. But by reading
the code section near the chroot call and looking at strace results I
believe that syslog-ng does not chdir to the chroot jail's location
before chrooting into it.
This opens up ways to work around the chroot jail.
See http://www.unixwiz.net/techtips/chroot-practices.html
(especially the point "Explicitly chdir into the jail")
I'll see whether I can provide a patch at a later stage.
-- System Information:
syslog-ng V2.0.9
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: syslog-ng
Source-Version: 2.0.9-4.1
We believe that the bug you reported is fixed in the latest version of
syslog-ng, which is due to be installed in the Debian FTP archive:
syslog-ng_2.0.9-4.1.diff.gz
to pool/main/s/syslog-ng/syslog-ng_2.0.9-4.1.diff.gz
syslog-ng_2.0.9-4.1.dsc
to pool/main/s/syslog-ng/syslog-ng_2.0.9-4.1.dsc
syslog-ng_2.0.9-4.1_i386.deb
to pool/main/s/syslog-ng/syslog-ng_2.0.9-4.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ben Hutchings <[EMAIL PROTECTED]> (supplier of updated syslog-ng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 23 Nov 2008 20:26:06 +0000
Source: syslog-ng
Binary: syslog-ng
Architecture: source i386
Version: 2.0.9-4.1
Distribution: unstable
Urgency: high
Maintainer: SZALAY Attila <[EMAIL PROTECTED]>
Changed-By: Ben Hutchings <[EMAIL PROTECTED]>
Description:
syslog-ng - Next generation logging daemon
Closes: 477223 505791 505797
Changes:
syslog-ng (2.0.9-4.1) unstable; urgency=high
.
* Non-maintainer upload; high priority due to the following security fix.
* Add chdir() before chroot(), and exit if either fails. (Closes: #505791)
* Fix typo in postrm. (Closes: #505797)
* Fix path to DocBook XML DTD. (Closes: #477223)
Checksums-Sha1:
720631da2090c95f2cdf7fbfe94739b7db0aa537 1075 syslog-ng_2.0.9-4.1.dsc
263388113ee86e2bcba59d08db9568a85f2781bf 35566 syslog-ng_2.0.9-4.1.diff.gz
bf4291e6af51a36b34404b104b7cbff816580104 129832 syslog-ng_2.0.9-4.1_i386.deb
Checksums-Sha256:
c23ded2a015f0c9f9b1cda1ecc331265acc37fa740d32c1b2b1fd5e846b267a0 1075
syslog-ng_2.0.9-4.1.dsc
4bb15f68c161e1abdf459ca05b332f1cc211d211cc98dbec65685a1ddb1e03ed 35566
syslog-ng_2.0.9-4.1.diff.gz
4c9107358213304f2b1b6963975f87e29fed7ba6f651ed54241adf6b5b3b37ec 129832
syslog-ng_2.0.9-4.1_i386.deb
Files:
5cf0c2922779e568044dcbe21ec01522 1075 admin extra syslog-ng_2.0.9-4.1.dsc
49a9555fd5b3ccb0f8f226892badb3f3 35566 admin extra syslog-ng_2.0.9-4.1.diff.gz
d04a175f30255ecdb19ca9ac4589218f 129832 admin extra
syslog-ng_2.0.9-4.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJKcaB79ZNCRIGYgcRAiWHAJwI9c1JWviD1JSsttJCUtiJsUhH9ACfWn25
Ak39nZD/M0axHNq/wVxSYrk=
=Z9Sv
-----END PGP SIGNATURE-----
--- End Message ---
