Debian Bug report logs - #505791
syslog-ng doesn't chdir before chroot

version graph

Package: syslog-ng; Maintainer for syslog-ng is syslog-ng maintainers <syslog-ng-maintainers@lists.alioth.debian.org>; Source for syslog-ng is src:syslog-ng.

Reported by: Florian Grandel <jerico.dev@gmail.com>

Date: Sat, 15 Nov 2008 12:51:02 UTC

Severity: grave

Tags: patch, security

Found in version syslog-ng/2.0.9-1

Fixed in version syslog-ng/2.0.9-4.1

Done: Ben Hutchings <ben@decadent.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, SZALAY Attila <sasa@debian.org>:
Bug#505791; Package syslog-ng. (Sat, 15 Nov 2008 12:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Grandel <jerico.dev@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, SZALAY Attila <sasa@debian.org>. (Sat, 15 Nov 2008 12:51:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Florian Grandel <jerico.dev@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: syslog-ng doesn't chdir before chroot
Date: Sat, 15 Nov 2008 10:49:14 -0200
Package: syslog-ng
Version: 2.0.9-1ubuntu3
Severity: grave
Tags: security
Justification: user security hole

I have not had the time to analyze all of syslog-ng code. But by reading
the code section near the chroot call and looking at strace results I
believe that syslog-ng does not chdir to the chroot jail's location
before chrooting into it.

This opens up ways to work around the chroot jail.

See http://www.unixwiz.net/techtips/chroot-practices.html
(especially the point "Explicitly chdir into the jail")

I'll see whether I can provide a patch at a later stage.
-- System Information:
syslog-ng V2.0.9
-- no debconf information




Bug no longer marked as found in version 2.0.9-1ubuntu3. Request was from Paul Wise <pabs@debian.org> to control@bugs.debian.org. (Sat, 15 Nov 2008 13:06:03 GMT) Full text and rfc822 format available.

Bug marked as found in version 2.0.9-1. Request was from Paul Wise <pabs@debian.org> to control@bugs.debian.org. (Sat, 15 Nov 2008 13:06:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, SZALAY Attila <sasa@debian.org>:
Bug#505791; Package syslog-ng. (Sat, 15 Nov 2008 14:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Grandel <jerico.dev@gmail.com>:
Extra info received and forwarded to list. Copy sent to SZALAY Attila <sasa@debian.org>. (Sat, 15 Nov 2008 14:18:03 GMT) Full text and rfc822 format available.

Message #14 received at 505791@bugs.debian.org (full text, mbox):

From: Florian Grandel <jerico.dev@gmail.com>
To: 505791@bugs.debian.org
Subject: patch
Date: Sat, 15 Nov 2008 12:13:46 -0200
--- syslog-ng-2.0.9.orig/src/main.c
+++ syslog-ng-2.0.9/src/main.c
@@ -275,7 +275,15 @@
 {
   if (chroot_dir)
     {
-      if (chroot(chroot_dir) < 0)
+      if (chdir(chroot_dir) <0)
+        {
+          msg_error("Error during chdir() before chroot()",
+                    evt_tag_errno(EVT_TAG_OSERROR, errno),
+                    NULL);
+          return 0;
+        }
+
+      if (chroot(chroot_dir) < 0)
        {
          msg_error("Error during chroot()",
                    evt_tag_errno(EVT_TAG_OSERROR, errno),




Tags added: patch Request was from Ken Bloom <kbloom@gmail.com> to control@bugs.debian.org. (Sun, 16 Nov 2008 03:36:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, SZALAY Attila <sasa@debian.org>:
Bug#505791; Package syslog-ng. (Sun, 23 Nov 2008 21:09:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to SZALAY Attila <sasa@debian.org>. (Sun, 23 Nov 2008 21:09:11 GMT) Full text and rfc822 format available.

Message #21 received at 505791@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 505791@bugs.debian.org
Subject: NMU diff for syslog-ng 2.0.9-4.1
Date: Sun, 23 Nov 2008 21:11:05 +0000
[Message part 1 (text/plain, inline)]
Fixes this bug and two others with patches available.

Ben.

diff -u syslog-ng-2.0.9/debian/changelog syslog-ng-2.0.9/debian/changelog
--- syslog-ng-2.0.9/debian/changelog
+++ syslog-ng-2.0.9/debian/changelog
@@ -1,3 +1,12 @@
+syslog-ng (2.0.9-4.1) unstable; urgency=high
+
+  * Non-maintainer upload; high priority due to the following security fix.
+  * Add chdir() before chroot(), and exit if either fails. (Closes: #505791)
+  * Fix typo in postrm. (Closes: #505797)
+  * Fix path to DocBook XML DTD. (Closes: #477223)
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sun, 23 Nov 2008 20:26:06 +0000
+
 syslog-ng (2.0.9-4) unstable; urgency=low
 
   * Fixed init script to check /usr/sbin/syslog-ng instead of /sbin/syslog-ng. (Closes: #492363)
diff -u syslog-ng-2.0.9/doc/reference/syslog-ng.xml syslog-ng-2.0.9/doc/reference/syslog-ng.xml
--- syslog-ng-2.0.9/doc/reference/syslog-ng.xml
+++ syslog-ng-2.0.9/doc/reference/syslog-ng.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="iso-8859-2"?>
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" "/usr/share/xml/docbook/schema/4.3/docbookx.dtd" [
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" "/usr/share/xml/docbook/schema/dtd/4.3/docbookx.dtd" [
   <!ENTITY % docvars SYSTEM "../docvars.xml.in">
   %docvars;
 ]>
only in patch2:
unchanged:
--- syslog-ng-2.0.9.orig/src/main.c
+++ syslog-ng-2.0.9/src/main.c
@@ -275,7 +275,7 @@
 {
   if (chroot_dir) 
     {
-      if (chroot(chroot_dir) < 0) 
+      if (chdir(chroot_dir) || chroot("."))
 	{
 	  msg_error("Error during chroot()",
 	            evt_tag_errno(EVT_TAG_OSERROR, errno),
@@ -428,7 +428,8 @@
   /* from now on internal messages are written to the system log as well */
   msg_syslog_started();
   
-  setup_creds();
+  if (!setup_creds())
+    return 1;
   setup_std_fds(log_to_stderr);
   
   rc = main_loop_run(&cfg);
only in patch2:
unchanged:
--- syslog-ng-2.0.9.orig/debian/syslog-ng.postrm
+++ syslog-ng-2.0.9/debian/syslog-ng.postrm
@@ -9,7 +9,7 @@
 fi
 
 # remove disabled files on purge or complete overwrite.
-if [ "$1" = "purge" -o "$1" = "dissappear" ]; then
+if [ "$1" = "purge" -o "$1" = "disappear" ]; then
     # main file
     [ -f /etc/logrotate.d/syslog-ng.disabled ] && rm -f /etc/logrotate.d/syslog-ng.disabled
 fi
--- END ---

[signature.asc (application/pgp-signature, inline)]

Reply sent to Ben Hutchings <ben@decadent.org.uk>:
You have taken responsibility. (Sun, 23 Nov 2008 21:27:11 GMT) Full text and rfc822 format available.

Notification sent to Florian Grandel <jerico.dev@gmail.com>:
Bug acknowledged by developer. (Sun, 23 Nov 2008 21:27:12 GMT) Full text and rfc822 format available.

Message #26 received at 505791-close@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 505791-close@bugs.debian.org
Subject: Bug#505791: fixed in syslog-ng 2.0.9-4.1
Date: Sun, 23 Nov 2008 21:17:12 +0000
Source: syslog-ng
Source-Version: 2.0.9-4.1

We believe that the bug you reported is fixed in the latest version of
syslog-ng, which is due to be installed in the Debian FTP archive:

syslog-ng_2.0.9-4.1.diff.gz
  to pool/main/s/syslog-ng/syslog-ng_2.0.9-4.1.diff.gz
syslog-ng_2.0.9-4.1.dsc
  to pool/main/s/syslog-ng/syslog-ng_2.0.9-4.1.dsc
syslog-ng_2.0.9-4.1_i386.deb
  to pool/main/s/syslog-ng/syslog-ng_2.0.9-4.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 505791@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <ben@decadent.org.uk> (supplier of updated syslog-ng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 23 Nov 2008 20:26:06 +0000
Source: syslog-ng
Binary: syslog-ng
Architecture: source i386
Version: 2.0.9-4.1
Distribution: unstable
Urgency: high
Maintainer: SZALAY Attila <sasa@debian.org>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description: 
 syslog-ng  - Next generation logging daemon
Closes: 477223 505791 505797
Changes: 
 syslog-ng (2.0.9-4.1) unstable; urgency=high
 .
   * Non-maintainer upload; high priority due to the following security fix.
   * Add chdir() before chroot(), and exit if either fails. (Closes: #505791)
   * Fix typo in postrm. (Closes: #505797)
   * Fix path to DocBook XML DTD. (Closes: #477223)
Checksums-Sha1: 
 720631da2090c95f2cdf7fbfe94739b7db0aa537 1075 syslog-ng_2.0.9-4.1.dsc
 263388113ee86e2bcba59d08db9568a85f2781bf 35566 syslog-ng_2.0.9-4.1.diff.gz
 bf4291e6af51a36b34404b104b7cbff816580104 129832 syslog-ng_2.0.9-4.1_i386.deb
Checksums-Sha256: 
 c23ded2a015f0c9f9b1cda1ecc331265acc37fa740d32c1b2b1fd5e846b267a0 1075 syslog-ng_2.0.9-4.1.dsc
 4bb15f68c161e1abdf459ca05b332f1cc211d211cc98dbec65685a1ddb1e03ed 35566 syslog-ng_2.0.9-4.1.diff.gz
 4c9107358213304f2b1b6963975f87e29fed7ba6f651ed54241adf6b5b3b37ec 129832 syslog-ng_2.0.9-4.1_i386.deb
Files: 
 5cf0c2922779e568044dcbe21ec01522 1075 admin extra syslog-ng_2.0.9-4.1.dsc
 49a9555fd5b3ccb0f8f226892badb3f3 35566 admin extra syslog-ng_2.0.9-4.1.diff.gz
 d04a175f30255ecdb19ca9ac4589218f 129832 admin extra syslog-ng_2.0.9-4.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJKcaB79ZNCRIGYgcRAiWHAJwI9c1JWviD1JSsttJCUtiJsUhH9ACfWn25
Ak39nZD/M0axHNq/wVxSYrk=
=Z9Sv
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 29 Dec 2008 07:29:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 15:23:39 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.