Date: Tue, 17 Nov 1998 22:45:44 +0100 From: Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE> Subject: Re: [Linux] klogd 1.3-22 buffer overflow To: BUGTRAQ@NETSPACE.ORG --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable I'm the co-maintainer of the Linux sysklogd package which contains the klogd program for which a buffer overrun has been reported last week. First of all I'd like to complain about two things: a) The reports weren't made against the current version of the package. The source for it is well known on sunsite.unc.edu as well as various mirrors. When reporting security related bugs you should *always* try to use the current version of a package instead of an ancient old one. b) Again the authors/maintainers of the package in question weren't notified and had to be informed through third parties. This is not a good style. (however I could imagine that this could be due to a)) Now returning to the main problem. Michal Zalewski <lcamtuf@IDS.PL> has found a buffer overrund in a version of klogd. I have investigated this last week and wasn't able to reproduce it nor able to find the problematic piece of code. Instead of that I found a well thought parser with an anti-overrun mechanism. Going through the changelog entries I also found a note about a possible overrun at the location Michal has reported. I dare to say, but this bug was fixed *two* years ago: * Tue Nov 19 10:15:36 PST 1996: Leland Olds <olds@eskimo.com> * Corrected vulnerability to buffer overruns by rewriting LogLine * routine. Obscenely long kernel messages will now be broken up * into lines no longer than LOG_LINE_LENGTH. * * The last version of LogLine was vulnerable to buffer overruns: * - Kernel messages longer than LOG_LINE_LENGTH caused a buffer * overrun. * - If a line was determined to be shorter than LOG_LINE_LENGTH, * the routine "ExpandKadds" could cause the line grow by * an unknown amount and overrun a buffer. * I turned these routines into a little parsing state machine that * should not have these problems. Whith this information I've contacted Michal without receiving an answer as well as some of the contributors who seem to have found / fixed the bug. I'm ashamed to admit that resposes were fare less than I would have expected. Anyway, the current version of klogd which comes with sysklogd is *not* vulnerable to the overrun in question. You'll find current versions of the sysklogd package at=20 ftp://ftp.infodrom.north.de/pub/people/joey/sysklogd/ Additionally the most recent stable version may also be found on SunSITE at ftp://sunsite.unc/edu/pub/Linux/system/daemons/ Thanks for the attention, Joey --=20 GNU GPL: "The source will be with you... always." --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBNlHuiBRNm5Suj3z1AQGVBQQAiz7Ew7KtTbPxn6cS9GeDCUZk6iL+nbbl qlI7OGHideY1PCeHglLj+/OAXPdf+USUhbomCs8tPA5VlQiwnZLFB6ojc8bv5FYH K+f4mfdKjJXy7ggH+eWRFt2O/8sxULqiPz6s2HtplqoDJEv3Kxc+297iBGyrlRGi QWkHg/EZ+9w= =eO0A -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf--