TUCoPS :: BSD :: syslog.htm

FreeBSD Syslog-ng up to 1.4.8 possible DoS



    Versions prior to and including 1.4.8


    Balazs  Scheidler  (BalaBit  security  advisory)  found following.
    syslog-ng is  a portable  syslog implementation.   Its  highlights
    include regexp based log selection,  TCP transport and more.   For
    more information:


    When  syslog-ng  parses  log  messages  a variable named "left" is
    used  to  store  the  remaining  length  of  the log message.  The
    priority part in the message should look like this:


    When the line  ends without the  closing '>' this  "left" variable
    becomes -1 due a to a bug.

    The  remaining  part  of  the  message  parsing  routine checks if
    there's any characters left using the condition: left != 0,  since
    -1 is not 0, this condition evaluates to true.

    Syslog-ng versions after  1.4.7 filters out  \r and \n  characters
    from  log  messages  and  replaces  them  with  spaces  to   avoid
    cluttering  logfiles.  Due  to  a  problem  in  the parsing of log
    messages,  this  character  change  may access unaccessible memory
    region. This  causes a  segmentation fault.   So sending  a  "<6",
    terminated with a  newline to one  of the input  channels causes a

    Prior  to  1.4.7,  this  character  change was not implemented, so
    mounting a DoS  attack is not  so trivial, but  is still possible.
    (it's left to the reader as an exercise).  It is believed that  no
    other exploitation is possible.

    Sending a carefully crafted  syslog packet may cause  syslog-ng to
    exit with a Segmentation Fault.


    Upgrade  syslog-ng  to  1.4.9,  which  is  a security upgrade, and
    changes nothing compared to 1.4.8 or apply this patch:

    diff -urN syslog-ng-1.4.8/src/log.c syslog-ng-1.4.9/src/log.c
    --- syslog-ng-1.4.8/src/log.c   Tue Oct 10 15:05:52 2000
    +++ syslog-ng-1.4.9/src/log.c   Wed Nov 22 16:45:11 2000
    @@ -67,8 +67,10 @@
                    lm->pri = pri;
    -               src++;
    -               left--;
    +               if (left) {
    +                       src++;
    +                       left--;
    +               }
            else {
                    lm->pri = LOG_USER | LOG_NOTICE;

    For FreeBSD:


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH