Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <1228748026.3834.72.camel@dhcp-lab-164.englab.brq.redhat.com>
Date: Mon, 08 Dec 2008 15:53:46 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: coley@...re.org
Cc: oss-security <oss-security@...ts.openwall.com>
Subject: CVE Request - rsyslog

Hello Steve,

  the following vulnerability has been recently reported
in rsyslog:

http://www.rsyslog.com/Article322.phtml

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508027
http://secunia.com/Advisories/32857/

Upstream patch:
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f0ddbed44c332391ae6d9bbf6b07e2f06c4dd676

The reporter mentions:
"The versions affected are rsyslog 3.12.1 to 3.20.0, 4.1.0 and 4.1.1.    
 The v2-stable branch is not affected."

Although the v2-stable part is missing the plugins/imgssapi,imtcp,imudp
part of the patch, the affected 'clearAllowedSenders' function can be
found in syslogd.c 

 740 static void clearAllowedSenders (struct AllowedSenders *pAllow) {

and 'isAllowedSender' function from syslogd.c also lacks the check added
by the patch:
 
   1049 /* check if  a sender is allowed. The root of the the allowed sender.
   1050  * list must be proveded by the caller. As such, this function can be
   1051  * used to check both UDP and TCP allowed sender lists.
   1052  * returns 1, if the sender is allowed, 0 otherwise.
   1053  * rgerhards, 2005-09-26
   1054  */
   1055 int isAllowedSender(struct AllowedSenders *pAllowRoot, struct sockaddr *pFrom, const char *pszFromHost)
   1056 {
   1057         struct AllowedSenders *pAllow;
   1058 
   1059         assert(pFrom != NULL);
   1060                                   <- no "if(setAllowRoot(&pAllowRoot, pszType) != RS_RET_OK)" from the patch
   1061         if(pAllowRoot == NULL)
   1062                 return 1; /* checking disabled, everything is valid! */

so it is highly probable, rsyslog-2.0 is also affected by this issue (checking with the developers yet).

Could you please allocate a new CVE id for this issue?

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.