Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Oct 2014 13:53:02 +0200
From: Rainer Gerhards <>
To: Solar Designer <>
Cc: Martin Schulze <>,
Subject: Re: sysklogd vulnerability (CVE-2014-3634)

Sent from phone, thus brief.
Am 03.10.2014 13:26 schrieb "Solar Designer" <>:
> On Fri, Oct 03, 2014 at 11:24:43AM +0000, mancha wrote:
> > On Fri, Oct 03, 2014 at 09:12:28AM +0000, mancha wrote:
> > > In sysklogd's syslogd, invalid priority values between 192 and 1023
> > > (directly or arrived at via overflow wraparound) can propagate through
> > > code causing out-of-bounds access to the f_pmask array within the
> > > 'filed' structure by up to 104 bytes past its end. Though most likely
> > > insufficient to reach unallocated memory because there are around 544
> > > bytes past f_pmask in 'filed' (mod packing and other differences),
> > > incorrect access of fields at higher positions of the 'filed'
> > > structure definition can cause unexpected behavior including message
> > > mis-classification, forwarding issues, message loss, or other.
> >
> > To expand on the above, because the out-of-bounds access is limited to
> > the filed structure, the effect on message handling, etc. appears
> > limited to the would-be attacker's own message. Unlike the more serious
> > impact seen in rsyslog, my limited testing and code review suggests the
> > flaw, while there, has no real security impact. Nevertheless, my patch
> > fixes the handling of malformed PRI parts.
> What about the DoS impact claimed here, though? -
>  sysklogd
>  ~~~~~~~~
>  A segfault seems possible in sysklogd if a negative facility value (due
>  integer overrun in facility parsing) is used. This could be used to
>  carry out a remote DoS.
> If this can be used to crash syslogd, it's "real security impact", even
> if rather limited.
> Have you tried triggering this condition (getting syslogd to crash)?

I didn't try out sysklogd as I was busy enough with rsyslog BUT I can crash
unpatched rsyslog v3 and the code path in question is extremely similar in
those two.

Note that a carefully crafted overflow pri may lead to a 2gb misadressing
below f_pmask,  which most probably is outside of the address space. I
haven't checked, though, if i can craft such a pri. But you have around
1000 digits for trying, so I think its possible.

Mancha may have more concrete information.

> Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ