Eygene Ryabinkin
2008-Nov-18 04:00 UTC
ports/128960: [patch] [vuxml] fix chroot issue in the sysutils/syslog-ng2
>Number: 128960 >Category: ports >Synopsis: [patch] [vuxml] fix chroot issue in the sysutils/syslog-ng2 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Nov 18 12:00:09 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization:Code Labs>Environment:System: FreeBSD 7.1-PRERELEASE amd64>Description:It was discovered [1] that syslog-ng 2.0.9 does not call chdir() before chroot, so this effectively leaking the syslog's startup directory to the chrooted environment. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791>How-To-Repeat:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791 http://www.openwall.com/lists/oss-security/2008/11/17/3 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5110 Please, note that CVE-2008-5110 is "too new" now -- ID was just created and no entry seem to be uploaded to the cve.mitre.org yet.>Fix:The following patch fixes the things: --- 2.0.9_1-to-2.0.9_2-fix-CVE-2008-5110.diff begins here --- diff -urN ./Makefile ../syslog-ng2/Makefile --- ./Makefile 2008-11-18 14:31:05.000000000 +0300 +++ ../syslog-ng2/Makefile 2008-11-18 14:31:15.000000000 +0300 @@ -7,7 +7,7 @@ PORTNAME= syslog-ng PORTVERSION= 2.0.9 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= sysutils MASTER_SITES= http://www.balabit.com/downloads/files/syslog-ng/sources/2.0/src/ PKGNAMESUFFIX= 2 diff -urN ./files/patch-CVE-2008-5110 ../syslog-ng2/files/patch-CVE-2008-5110 --- ./files/patch-CVE-2008-5110 1970-01-01 03:00:00.000000000 +0300 +++ ../syslog-ng2/files/patch-CVE-2008-5110 2008-11-18 14:40:00.000000000 +0300 @@ -0,0 +1,22 @@ +Patch for CVE-2008-5110 + +Obtained from: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=14;mbox=yes;bug=505791 +Note: was not able to cleanly apply the original patch, so it was recreated + by hand using the original submission contents + +--- src/main.c.orig 2008-03-23 23:35:27.000000000 +0300 ++++ src/main.c 2008-11-18 14:38:13.000000000 +0300 +@@ -275,6 +275,13 @@ + { + if (chroot_dir) + { ++ if (chdir(chroot_dir) < 0) ++ { ++ msg_error("Error during chdir() before chroot()", ++ evt_tag_errno(EVT_TAG_OSERROR, errno), ++ NULL); ++ return 0; ++ } + if (chroot(chroot_dir) < 0) + { + msg_error("Error during chroot()", --- 2.0.9_1-to-2.0.9_2-fix-CVE-2008-5110.diff ends here --- This issue deserves the following VuXML entry: --- vuln.xml begins here --- <vuln vid=""> <topic>Syslog-ng -- startup directory leakage in the chroot environment</topic> <affects> <package> <name>syslog-ng2</name> <range><lt>2.0.9_2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Florian Grandel had reported through the Debian bug tracker that syslong-ng has the security vulnerability associated with the chroot() call.</p> <blockquote cite="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791"> <p>I have not had the time to analyze all of syslog-ng code. But by reading the code section near the chroot call and looking at strace results I believe that syslog-ng does not chdir to the chroot jail's location before chrooting into it.</p> <p>This opens up ways to work around the chroot jail.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-5110</cvename> <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791</url> <url>http://www.openwall.com/lists/oss-security/2008/11/17/3</url> </references> <dates> <discovery>2008-11-15</discovery> </dates> </vuln> --- vuln.xml ends here --->Release-Note: >Audit-Trail: >Unformatted:
edwin@FreeBSD.org
2008-Nov-18 04:43 UTC
ports/128960: [patch] [vuxml] fix chroot issue in the sysutils/syslog-ng2
Synopsis: [patch] [vuxml] fix chroot issue in the sysutils/syslog-ng2 State-Changed-From-To: open->feedback State-Changed-By: edwin State-Changed-When: Tue Nov 18 12:00:30 UTC 2008 State-Changed-Why: Awaiting maintainers feedback (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=128960