polynomial-c 14/10/04 09:21:57 Added: sysklogd-1.5_CVE-2014-3634.diff Log: Security bump (bug #524058). Remote syslog PRI vulnerability (CVE-2014-3634). Removed old (Portage version: 2.2.14_rc1/cvs/Linux x86_64, signed Manifest commit with key 0x981CA6FC)
Revision Changes Path 1.1 app-admin/sysklogd/files/sysklogd-1.5_CVE-2014-3634.diff file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sysklogd/files/sysklogd-1.5_CVE-2014-3634.diff?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sysklogd/files/sysklogd-1.5_CVE-2014-3634.diff?rev=1.1&content-type=text/plain Index: sysklogd-1.5_CVE-2014-3634.diff =================================================================== >From 43797330e75d7d4687b7ae6926a996c3c85c2679 Mon Sep 17 00:00:00 2001 From: mancha <mancha1 AT zoho DOT com> Date: Wed, 1 Oct 2014 Subject: CVE-2014-3634 Rainer Gerhards, rsyslog project leader, discovered an issue in rsyslogd where invalid priority values can trigger DoS and potentially RCE. As his analysis reveals, the cause of the problem identified in rsyslog's rsyslogd also exists in sysklogd's syslogd (from which rsyslogd was forked) and stems from the use of a (LOG_FACMASK|LOG_PRIMASK) mask to detect invalid priority values. In sysklogd's syslogd, invalid priority values between 192 and 1023 (directly or arrived at via overflow wraparound) can propagate through code causing out-of-bounds access to the f_pmask array within the 'filed' structure by up to 104 bytes past its end. Though most likely insufficient to reach unallocated memory because there are around 544 bytes past f_pmask in 'filed' (mod packing and other differences), incorrect access of fields at higher positions of the 'filed' structure definition can cause unexpected behavior including message mis-classification, forwarding issues, message loss, or other. This patch imposes a restriction on PRI message parts and requires they be properly-delimited priority value strings that have non-negative numerical values not exceeding 191. As before, sysklogd's syslogd permits zero padding to not break compatibility with RFC-non-compliant loggers that issue PRIs such as <0091>. Messages without well-formed PRI parts get logged with priority user.notice (13). (c.f. RFC 3164) Thanks to Rainer Gerhards for the initial report and analysis. [1] http://www.rsyslog.com/remote-syslog-pri-vulnerability/ [2] http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/ --- syslogd.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) --- a/syslogd.c +++ b/syslogd.c @@ -632,6 +632,8 @@ int funix[MAXFUNIX] = { -1, }; #define TABLE_ALLPRI 0xFF /* Value to indicate all priorities in f_pmask */ #define LOG_MARK LOG_MAKEPRI(LOG_NFACILITIES, 0) /* mark "facility" */ +#define MAX_PRI 191 /* Maximum Priority per RFC 3164 */ + /* * Flags to logmsg(). */ @@ -1491,23 +1493,34 @@ void printline(hname, msg) register char *p, *q; register unsigned char c; char line[MAXLINE + 1]; - int pri; + unsigned int pri; // Valid Priority values are 0-191 + int prilen=0; // Track Priority value string len + int msglen; /* test for special codes */ + msglen=strlen(msg); pri = DEFUPRI; p = msg; if (*p == '<') { pri = 0; - while (isdigit(*++p)) - { - pri = 10 * pri + (*p - '0'); + while (--msglen > 0 && isdigit((unsigned char)*++p) && + pri <= MAX_PRI) { + pri = 10 * pri + (*p - '0'); + prilen++; } - if (*p == '>') + if (*p == '>' && prilen) ++p; + else { + pri = DEFUPRI; + p = msg; + } } - if (pri &~ (LOG_FACMASK|LOG_PRIMASK)) + + if ((pri &~ (LOG_FACMASK|LOG_PRIMASK)) || (pri > MAX_PRI)) { pri = DEFUPRI; + p = msg; + } memset (line, 0, sizeof(line)); q = line;
