[8586] in bugtraq

home help back first fref pref prev next nref lref last post

Re: [Linux] klogd 1.3-22 buffer overflow

daemon@ATHENA.MIT.EDU (Martin Schulze)
Tue Nov 17 17:22:11 1998

Date: 	Tue, 17 Nov 1998 22:45:44 +0100
Reply-To: Martin Schulze <joey@infodrom.north.de>
From: Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <Pine.LNX.4.00.9809101023330.545-100000@lcamtuf.ids.pl>; from
              Michal Zalewski on Thu, Sep 10, 1998 at 10:26:06AM +0200

--J2SCkAp4GZ/dPZZf
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

I'm the co-maintainer of the Linux sysklogd package which contains the
klogd program for which a buffer overrun has been reported last week.

First of all I'd like to complain about two things:

 a) The reports weren't made against the current version of the
    package.  The source for it is well known on sunsite.unc.edu as
    well as various mirrors.

    When reporting security related bugs you should *always* try to
    use the current version of a package instead of an ancient old
    one.

 b) Again the authors/maintainers of the package in question weren't
    notified and had to be informed through third parties.  This is
    not a good style.  (however I could imagine that this could be due
    to a))

Now returning to the main problem.

Michal Zalewski <lcamtuf@IDS.PL> has found a buffer overrund in a
version of klogd.  I have investigated this last week and wasn't able
to reproduce it nor able to find the problematic piece of code.
Instead of that I found a well thought parser with an anti-overrun
mechanism.

Going through the changelog entries I also found a note about a
possible overrun at the location Michal has reported.  I dare to say,
but this bug was fixed *two* years ago:

 * Tue Nov 19 10:15:36 PST 1996: Leland Olds <olds@eskimo.com>
 *      Corrected vulnerability to buffer overruns by rewriting LogLine
 *      routine.  Obscenely long kernel messages will now be broken up
 *      into lines no longer than LOG_LINE_LENGTH.
 *
 *      The last version of LogLine was vulnerable to buffer overruns:
 *      - Kernel messages longer than LOG_LINE_LENGTH caused a buffer
 *        overrun.
 *      - If a line was determined to be shorter than LOG_LINE_LENGTH,
 *        the routine "ExpandKadds" could cause the line grow by
 *        an unknown amount and overrun a buffer.
 *      I turned these routines into a little parsing state machine that
 *      should not have these problems.

Whith this information I've contacted Michal without receiving an
answer as well as some of the contributors who seem to have found /
fixed the bug.  I'm ashamed to admit that resposes were fare less than
I would have expected.

Anyway, the current version of klogd which comes with sysklogd is
*not* vulnerable to the overrun in question.

You'll find current versions of the sysklogd package at=20

        ftp://ftp.infodrom.north.de/pub/people/joey/sysklogd/

Additionally the most recent stable version may also be found on
SunSITE at

        ftp://sunsite.unc/edu/pub/Linux/system/daemons/

Thanks for the attention,

        Joey

--=20
GNU GPL: "The source will be with you... always."

--J2SCkAp4GZ/dPZZf
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia

iQCVAwUBNlHuiBRNm5Suj3z1AQGVBQQAiz7Ew7KtTbPxn6cS9GeDCUZk6iL+nbbl
qlI7OGHideY1PCeHglLj+/OAXPdf+USUhbomCs8tPA5VlQiwnZLFB6ojc8bv5FYH
K+f4mfdKjJXy7ggH+eWRFt2O/8sxULqiPz6s2HtplqoDJEv3Kxc+297iBGyrlRGi
QWkHg/EZ+9w=
=eO0A
-----END PGP SIGNATURE-----

--J2SCkAp4GZ/dPZZf--

home help back first fref pref prev next nref lref last post