Bug#644611: Re : Bug#644611: CVE-2011-3200: Stack-based buffer overflow in the parseLegacySyslogMsg function

2011-10-10 Thread emeric boit 
 

 As said, I agreed with Nico that this issue is not grave enough to be handled
 via a security upload, but will be done via a regular stable release update.
 Uploads for the next stable release are no longer accepted, so it will have to
 go into the next one.
 
 I also don't think severity grave is justified, so downgrading.
 
 
 Cheers,
 Michael
 
 -- 
 Why is it that all of the instruments seeking intelligent life in the
 universe are pointed away from Earth?


Ok, thank for your feedback.

Emeric.




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#644611: CVE-2011-3200: Stack-based buffer overflow in the parseLegacySyslogMsg function

2011-10-09 Thread emeric boit 
 De: Michael Biebl bi...@debian.org
 Objet: Re: Bug#644611: CVE-2011-3200: Stack-based buffer overflow in the 
 parseLegacySyslogMsg function
 À: emeric boit emericb...@yahoo.fr, 644...@bugs.debian.org
 Date: Vendredi 7 octobre 2011, 18h44
 Am 07.10.2011 12:55, schrieb emeric
 boit:
  Package: rsyslog
  Version: 4.6.4-2
  Severity: grave
  Tags: security
  
  CVE description:
  Stack-based buffer overflow in the
 parseLegacySyslogMsg function in 
  tools/syslogd.c in rsyslogd in rsyslog 4.6.x before
 4.6.8 and 5.2.0 
  through 5.8.4 might allow remote attackers to cause a
 denial of service
  (application exit) via a long TAG in a legacy syslog
 message.
  
  Security Bug Tracker : 
  http://security-tracker.debian.org/tracker/CVE-2011-3200
  RedHat bug : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3200
  Ubuntu Bug : http://www.ubuntu.com/usn/usn-1224-1
  
  I've attached the patch based on Ubuntu and RedHat
 patch.
 
 TTBOMK this only affects rsyslog if it was compiled with
 SSP, which the version
 in squeeze isn't. Have you information that this is not the
 case?
 It also only affects rsyslog if you enable remote logging.
 
 That said, Nico Golde asked me, to handle that via a stable
 upload.
 
 Michael
 -- 
 Why is it that all of the instruments seeking intelligent
 life in the
 universe are pointed away from Earth?
 

It's true with no SSP, no fatal problem seems to occur and the tag character is 
usually just truncated. But I think even if SSP isn't in Squeeze by default the 
problem must be corrected.

Emeric.



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#644611: CVE-2011-3200: Stack-based buffer overflow in the parseLegacySyslogMsg function

2011-10-07 Thread emeric boit 
Package: rsyslog
Version: 4.6.4-2
Severity: grave
Tags: security

CVE description:
Stack-based buffer overflow in the parseLegacySyslogMsg function in 
tools/syslogd.c in rsyslogd in rsyslog 4.6.x before 4.6.8 and 5.2.0 
through 5.8.4 might allow remote attackers to cause a denial of service
(application exit) via a long TAG in a legacy syslog message.

Security Bug Tracker : http://security-tracker.debian.org/tracker/CVE-2011-3200
RedHat bug : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3200
Ubuntu Bug : http://www.ubuntu.com/usn/usn-1224-1

I've attached the patch based on Ubuntu and RedHat patch.


03-CVE-2011-3200.patch
Description: Binary data