Bug#644611: Re : Bug#644611: CVE-2011-3200: Stack-based buffer overflow in the parseLegacySyslogMsg function
As said, I agreed with Nico that this issue is not grave enough to be handled via a security upload, but will be done via a regular stable release update. Uploads for the next stable release are no longer accepted, so it will have to go into the next one. I also don't think severity grave is justified, so downgrading. Cheers, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? Ok, thank for your feedback. Emeric. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#644611: CVE-2011-3200: Stack-based buffer overflow in the parseLegacySyslogMsg function
De: Michael Biebl bi...@debian.org Objet: Re: Bug#644611: CVE-2011-3200: Stack-based buffer overflow in the parseLegacySyslogMsg function À: emeric boit emericb...@yahoo.fr, 644...@bugs.debian.org Date: Vendredi 7 octobre 2011, 18h44 Am 07.10.2011 12:55, schrieb emeric boit: Package: rsyslog Version: 4.6.4-2 Severity: grave Tags: security CVE description: Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslogd.c in rsyslogd in rsyslog 4.6.x before 4.6.8 and 5.2.0 through 5.8.4 might allow remote attackers to cause a denial of service (application exit) via a long TAG in a legacy syslog message. Security Bug Tracker : http://security-tracker.debian.org/tracker/CVE-2011-3200 RedHat bug : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3200 Ubuntu Bug : http://www.ubuntu.com/usn/usn-1224-1 I've attached the patch based on Ubuntu and RedHat patch. TTBOMK this only affects rsyslog if it was compiled with SSP, which the version in squeeze isn't. Have you information that this is not the case? It also only affects rsyslog if you enable remote logging. That said, Nico Golde asked me, to handle that via a stable upload. Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? It's true with no SSP, no fatal problem seems to occur and the tag character is usually just truncated. But I think even if SSP isn't in Squeeze by default the problem must be corrected. Emeric. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#644611: CVE-2011-3200: Stack-based buffer overflow in the parseLegacySyslogMsg function
severity 644611 important thanks Am 09.10.2011 13:57, schrieb emeric boit: De: Michael Biebl bi...@debian.org Objet: Re: Bug#644611: CVE-2011-3200: Stack-based buffer overflow in the parseLegacySyslogMsg function À: emeric boit emericb...@yahoo.fr, 644...@bugs.debian.org Date: Vendredi 7 octobre 2011, 18h44 Am 07.10.2011 12:55, schrieb emeric boit: Package: rsyslog Version: 4.6.4-2 Severity: grave Tags: security CVE description: Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslogd.c in rsyslogd in rsyslog 4.6.x before 4.6.8 and 5.2.0 through 5.8.4 might allow remote attackers to cause a denial of service (application exit) via a long TAG in a legacy syslog message. Security Bug Tracker : http://security-tracker.debian.org/tracker/CVE-2011-3200 RedHat bug : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3200 Ubuntu Bug : http://www.ubuntu.com/usn/usn-1224-1 I've attached the patch based on Ubuntu and RedHat patch. TTBOMK this only affects rsyslog if it was compiled with SSP, which the version in squeeze isn't. Have you information that this is not the case? It also only affects rsyslog if you enable remote logging. That said, Nico Golde asked me, to handle that via a stable upload. Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? It's true with no SSP, no fatal problem seems to occur and the tag character is usually just truncated. But I think even if SSP isn't in Squeeze by default the problem must be corrected. As said, I agreed with Nico that this issue is not grave enough to be handled via a security upload, but will be done via a regular stable release update. Uploads for the next stable release are no longer accepted, so it will have to go into the next one. I also don't think severity grave is justified, so downgrading. Cheers, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#644611: CVE-2011-3200: Stack-based buffer overflow in the parseLegacySyslogMsg function
Package: rsyslog Version: 4.6.4-2 Severity: grave Tags: security CVE description: Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslogd.c in rsyslogd in rsyslog 4.6.x before 4.6.8 and 5.2.0 through 5.8.4 might allow remote attackers to cause a denial of service (application exit) via a long TAG in a legacy syslog message. Security Bug Tracker : http://security-tracker.debian.org/tracker/CVE-2011-3200 RedHat bug : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3200 Ubuntu Bug : http://www.ubuntu.com/usn/usn-1224-1 I've attached the patch based on Ubuntu and RedHat patch. 03-CVE-2011-3200.patch Description: Binary data
Bug#644611: CVE-2011-3200: Stack-based buffer overflow in the parseLegacySyslogMsg function
Am 07.10.2011 12:55, schrieb emeric boit: Package: rsyslog Version: 4.6.4-2 Severity: grave Tags: security CVE description: Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslogd.c in rsyslogd in rsyslog 4.6.x before 4.6.8 and 5.2.0 through 5.8.4 might allow remote attackers to cause a denial of service (application exit) via a long TAG in a legacy syslog message. Security Bug Tracker : http://security-tracker.debian.org/tracker/CVE-2011-3200 RedHat bug : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3200 Ubuntu Bug : http://www.ubuntu.com/usn/usn-1224-1 I've attached the patch based on Ubuntu and RedHat patch. TTBOMK this only affects rsyslog if it was compiled with SSP, which the version in squeeze isn't. Have you information that this is not the case? It also only affects rsyslog if you enable remote logging. That said, Nico Golde asked me, to handle that via a stable upload. Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature