>Number: 128960 >Category: ports >Synopsis: [patch] [vuxml] fix chroot issue in the sysutils/syslog-ng2 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Nov 18 12:00:09 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment:
System: FreeBSD 7.1-PRERELEASE amd64 >Description: It was discovered [1] that syslog-ng 2.0.9 does not call chdir() before chroot, so this effectively leaking the syslog's startup directory to the chrooted environment. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791 >How-To-Repeat: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791 http://www.openwall.com/lists/oss-security/2008/11/17/3 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5110 Please, note that CVE-2008-5110 is "too new" now -- ID was just created and no entry seem to be uploaded to the cve.mitre.org yet. >Fix: The following patch fixes the things: --- 2.0.9_1-to-2.0.9_2-fix-CVE-2008-5110.diff begins here --- diff -urN ./Makefile ../syslog-ng2/Makefile --- ./Makefile 2008-11-18 14:31:05.000000000 +0300 +++ ../syslog-ng2/Makefile 2008-11-18 14:31:15.000000000 +0300 @@ -7,7 +7,7 @@ PORTNAME= syslog-ng PORTVERSION= 2.0.9 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= sysutils MASTER_SITES= http://www.balabit.com/downloads/files/syslog-ng/sources/2.0/src/ PKGNAMESUFFIX= 2 diff -urN ./files/patch-CVE-2008-5110 ../syslog-ng2/files/patch-CVE-2008-5110 --- ./files/patch-CVE-2008-5110 1970-01-01 03:00:00.000000000 +0300 +++ ../syslog-ng2/files/patch-CVE-2008-5110 2008-11-18 14:40:00.000000000 +0300 @@ -0,0 +1,22 @@ +Patch for CVE-2008-5110 + +Obtained from: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=14;mbox=yes;bug=505791 +Note: was not able to cleanly apply the original patch, so it was recreated + by hand using the original submission contents + +--- src/main.c.orig 2008-03-23 23:35:27.000000000 +0300 ++++ src/main.c 2008-11-18 14:38:13.000000000 +0300 +@@ -275,6 +275,13 @@ + { + if (chroot_dir) + { ++ if (chdir(chroot_dir) < 0) ++ { ++ msg_error("Error during chdir() before chroot()", ++ evt_tag_errno(EVT_TAG_OSERROR, errno), ++ NULL); ++ return 0; ++ } + if (chroot(chroot_dir) < 0) + { + msg_error("Error during chroot()", --- 2.0.9_1-to-2.0.9_2-fix-CVE-2008-5110.diff ends here --- This issue deserves the following VuXML entry: --- vuln.xml begins here --- <vuln vid=""> <topic>Syslog-ng -- startup directory leakage in the chroot environment</topic> <affects> <package> <name>syslog-ng2</name> <range><lt>2.0.9_2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml";> <p>Florian Grandel had reported through the Debian bug tracker that syslong-ng has the security vulnerability associated with the chroot() call.</p> <blockquote cite="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791";> <p>I have not had the time to analyze all of syslog-ng code. But by reading the code section near the chroot call and looking at strace results I believe that syslog-ng does not chdir to the chroot jail's location before chrooting into it.</p> <p>This opens up ways to work around the chroot jail.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-5110</cvename> <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791</url> <url>http://www.openwall.com/lists/oss-security/2008/11/17/3</url> </references> <dates> <discovery>2008-11-15</discovery> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
