COMMAND

    syslog-ng

SYSTEMS AFFECTED

    Versions prior to and including 1.4.8

PROBLEM

    Balazs  Scheidler  (BalaBit  security  advisory)  found following.
    syslog-ng is  a portable  syslog implementation.   Its  highlights
    include regexp based log selection,  TCP transport and more.   For
    more information:

        http://www.balabit.hu/products/syslog-ng/

    When  syslog-ng  parses  log  messages  a variable named "left" is
    used  to  store  the  remaining  length  of  the log message.  The
    priority part in the message should look like this:

        <6>

    When the line  ends without the  closing '>' this  "left" variable
    becomes -1 due a to a bug.

    The  remaining  part  of  the  message  parsing  routine checks if
    there's any characters left using the condition: left != 0,  since
    -1 is not 0, this condition evaluates to true.

    Syslog-ng versions after  1.4.7 filters out  \r and \n  characters
    from  log  messages  and  replaces  them  with  spaces  to   avoid
    cluttering  logfiles.  Due  to  a  problem  in  the parsing of log
    messages,  this  character  change  may access unaccessible memory
    region. This  causes a  segmentation fault.   So sending  a  "<6",
    terminated with a  newline to one  of the input  channels causes a
    SIGSEGV.

    Prior  to  1.4.7,  this  character  change was not implemented, so
    mounting a DoS  attack is not  so trivial, but  is still possible.
    (it's left to the reader as an exercise).  It is believed that  no
    other exploitation is possible.

    Sending a carefully crafted  syslog packet may cause  syslog-ng to
    exit with a Segmentation Fault.

SOLUTION

    Upgrade  syslog-ng  to  1.4.9,  which  is  a security upgrade, and
    changes nothing compared to 1.4.8 or apply this patch:

    diff -urN syslog-ng-1.4.8/src/log.c syslog-ng-1.4.9/src/log.c
    --- syslog-ng-1.4.8/src/log.c   Tue Oct 10 15:05:52 2000
    +++ syslog-ng-1.4.9/src/log.c   Wed Nov 22 16:45:11 2000
    @@ -67,8 +67,10 @@
                            left--;
                    }
                    lm->pri = pri;
    -               src++;
    -               left--;
    +               if (left) {
    +                       src++;
    +                       left--;
    +               }
            }
            else {
                    lm->pri = LOG_USER | LOG_NOTICE;

    For FreeBSD:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/sysutils/syslog-ng-1.4.10.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/sysutils/syslog-ng-1.4.10.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/sysutils/syslog-ng-1.4.10.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/sysutils/syslog-ng-1.4.10.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/sysutils/syslog-ng-1.4.10.tgz