ports/128960: [patch] [vuxml] fix chroot issue in the
sysutils/syslog-ng2
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Tue Nov 18 04:00:11 PST 2008
>Number: 128960
>Category: ports
>Synopsis: [patch] [vuxml] fix chroot issue in the sysutils/syslog-ng2
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Nov 18 12:00:09 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.1-PRERELEASE amd64
>Description:
It was discovered [1] that syslog-ng 2.0.9 does not call chdir() before
chroot, so this effectively leaking the syslog's startup directory to
the chrooted environment.
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791
>How-To-Repeat:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791
http://www.openwall.com/lists/oss-security/2008/11/17/3
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5110
Please, note that CVE-2008-5110 is "too new" now -- ID was just created
and no entry seem to be uploaded to the cve.mitre.org yet.
>Fix:
The following patch fixes the things:
--- 2.0.9_1-to-2.0.9_2-fix-CVE-2008-5110.diff begins here ---
diff -urN ./Makefile ../syslog-ng2/Makefile
--- ./Makefile 2008-11-18 14:31:05.000000000 +0300
+++ ../syslog-ng2/Makefile 2008-11-18 14:31:15.000000000 +0300
@@ -7,7 +7,7 @@
PORTNAME= syslog-ng
PORTVERSION= 2.0.9
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= sysutils
MASTER_SITES= http://www.balabit.com/downloads/files/syslog-ng/sources/2.0/src/
PKGNAMESUFFIX= 2
diff -urN ./files/patch-CVE-2008-5110 ../syslog-ng2/files/patch-CVE-2008-5110
--- ./files/patch-CVE-2008-5110 1970-01-01 03:00:00.000000000 +0300
+++ ../syslog-ng2/files/patch-CVE-2008-5110 2008-11-18 14:40:00.000000000 +0300
@@ -0,0 +1,22 @@
+Patch for CVE-2008-5110
+
+Obtained from: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=14;mbox=yes;bug=505791
+Note: was not able to cleanly apply the original patch, so it was recreated
+ by hand using the original submission contents
+
+--- src/main.c.orig 2008-03-23 23:35:27.000000000 +0300
++++ src/main.c 2008-11-18 14:38:13.000000000 +0300
+@@ -275,6 +275,13 @@
+ {
+ if (chroot_dir)
+ {
++ if (chdir(chroot_dir) < 0)
++ {
++ msg_error("Error during chdir() before chroot()",
++ evt_tag_errno(EVT_TAG_OSERROR, errno),
++ NULL);
++ return 0;
++ }
+ if (chroot(chroot_dir) < 0)
+ {
+ msg_error("Error during chroot()",
--- 2.0.9_1-to-2.0.9_2-fix-CVE-2008-5110.diff ends here ---
This issue deserves the following VuXML entry:
--- vuln.xml begins here ---
<vuln vid="">
<topic>Syslog-ng -- startup directory leakage in the chroot environment</topic>
<affects>
<package>
<name>syslog-ng2</name>
<range><lt>2.0.9_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Florian Grandel had reported through the Debian bug tracker
that syslong-ng has the security vulnerability associated with
the chroot() call.</p>
<blockquote cite="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791">
<p>I have not had the time to analyze all of syslog-ng code.
But by reading the code section near the chroot call and looking
at strace results I believe that syslog-ng does not chdir to the
chroot jail's location before chrooting into it.</p>
<p>This opens up ways to work around the chroot jail.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-5110</cvename>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791</url>
<url>http://www.openwall.com/lists/oss-security/2008/11/17/3</url>
</references>
<dates>
<discovery>2008-11-15</discovery>
</dates>
</vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-security
mailing list