------- Forwarded Message Follows -------
Date: Tue, 16 Apr 1996 21:10:35 -0700
From: "A. Ian Vogelesang" <vogelesang@hdshq.com>
Organization: Hitachi Data Systems
To: firewalls@greatcircle.com, fwtk-users@tis.com,
best-of-security@suburbia.net
Cc: carl@hdshq.com
Subject: New vulnerabilities in syslog (libc) and the syslogd daemon
[To unsubscribe from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@tis.com.]
As part of a continuing review of our internal systems
for security vulnerabilities, a verification was performed
of the ability of the syslog/syslogd system to correctly
handle over-length messages, and to behave properly under
heavy load conditions.
As a result, a number of remaining problems with both
syslog (in libc), and the syslogd daemon were discovered
and corrected.
As some of these vulnerabilities may be present in various
implementations, CERT was notified last month and has in
turn advised the vendor list.
As the source for Linux is widely available, an example of
the source patches for Linux has been made available, together
with a test/verification program, and (optionally) Linux
executables including patched libc.so.5.3.9 and syslogd.
For more details please see:
http://www.hdshq.com/fixes/syslog-syslogd/readme.txt
(9645 bytes)
Source, scripts, makefile, test program in
http://www.hdshq.com/fixes/syslog-syslogd/syslog-syslogd.tar.gz
(56008 bytes)
http://www.hdshq.com/fixes/syslog-syslogd/syslog-syslogd.tar.Z
(77659 bytes)
- also contains the readme.txt (this may be all you want)
Above, plus Linux ELF executables & a patched libc.so.5.3.9 in
http://www.hdshq.com/fixes/syslog-syslogd/syslog-syslogd.linux.tar.gz
(863934 bytes)
Although I haven't gone through the exercise of determining
if the exposures could be exploited by Bad Guys to perform
dastardly deeds, the very fact that syslog and/or syslogd
are segv-ing, merrily zooming off the end of buffers, stomping
on memory and throwing away data warrants corrective action.
Regards,
Ian
A. Ian Vogelesang
Hitachi Data Systems
Graham
Ask not what you can do for your country,
but what your government is doing to you