Debian Bug report logs -
#246535
sysklogd: Can be crashed by maliscious user
Reported by: "J.H.M. Dassen (Ray)" <fsmla@xinara.org>
Date: Thu, 29 Apr 2004 12:48:05 UTC
Severity: grave
Tags: patch, sarge, security, sid, upstream, woody
Found in version 1.4.1-14
Done: Martin Schulze <joey@infodrom.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Martin Schulze <joey@debian.org>:
Bug#246535; Package sysklogd.
(full text, mbox, link).
Acknowledgement sent to "J.H.M. Dassen (Ray)" <fsmla@xinara.org>:
New Bug report received and forwarded. Copy sent to Martin Schulze <joey@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: sysklogd
Version: 1.4.1-14
Severity: grave
Justification: causes data loss (of syslog messages)
Tags: security woody sarge sid upstream patch
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:038 :
Steve Grubb discovered a bug in sysklogd where it allocates an
insufficient amount of memory which causes sysklogd to write
to unallocated memory. This could allow for a malicious user to
crash sysklogd.
I'm attaching sysklogd-1.4.1-owl-syslogd-crunch_list.diff.bz2 as
extracted from sysklogd-1.4.1-5.1.100mdk.src.rpm.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (900, 'unstable'), (900, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-pre1
Locale: LANG=C, LC_CTYPE=en_US.ISO8859-1
Versions of packages sysklogd depends on:
ii klogd [linux-kernel-log-dae 1.4.1-14 Kernel Logging Daemon
ii libc6 2.3.2.ds1-12 GNU C Library: Shared libraries an
-- no debconf information
[sysklogd-1.4.1-owl-syslogd-crunch_list.diff.bz2 (application/octet-stream, attachment)]
Reply sent to Martin Schulze <joey@infodrom.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "J.H.M. Dassen (Ray)" <fsmla@xinara.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 246535-done@bugs.debian.org (full text, mbox, reply):
I'm sorry but this bug cannot be triggered by a user, so the
description Mandrage/Steve Grubb gave is bogus. I'm open for
discussions on infodrom-sysklogd@lists.infodrom.org. This
issue is also documented here:
http://www.infodrom.org/projects/sysklogd/security.php3
Regards,
Joey
--
GNU GPL: "The source will be with you... always."
Information forwarded to debian-bugs-dist@lists.debian.org, Martin Schulze <joey@debian.org>:
Bug#246535; Package sysklogd.
(full text, mbox, link).
Acknowledgement sent to "J.H.M. Dassen (Ray)" <fsmla@xinara.org>:
Extra info received and forwarded to list. Copy sent to Martin Schulze <joey@debian.org>.
(full text, mbox, link).
Message #15 received at 246535@bugs.debian.org (full text, mbox, reply):
On Thu, Apr 29, 2004 at 11:18:13 -0700, Debian Bug Tracking System wrote:
> I'm sorry but this bug cannot be triggered by a user, so the
> description Mandrage/Steve Grubb gave is bogus.
OK. For reference, it looks like the issue was originally filed as
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120453
Regards,
Ray
--
"When you are finished spreading joy on Christmas Eve, come and kick back
with me and Erwin for a while. [...] We'll provide the cocoa and cookies,
and we'll even teach you how to play Quake."
From the Dust Puppy's letter to Santa Claus.
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Apr 15 11:07:39 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.