From secunia security advisor at $URL: Description: The vulnerability is caused due to an off-by-two error within the "parseLegacySyslogMsg()" function (tools/syslogd.c) and can be exploited to cause a limited stack-based buffer overflow by sending an overly long TAG within a legacy syslog message. Solution: Update to versions 5.8.5. (Not mentioned version 4 because there is in main tree)
5.8.5 is available, please bump =)
http://www.rsyslog.com/potential-dos-with-malformed-tag/ states the impact is DoS. Code execution is not possible.
Thank you Agostino, I have bumped rsyslog to latest version and removed the useless 5.8.1 vulnerable version. +*rsyslog-5.8.5 (05 Sep 2011) + + 05 Sep 2011; Ultrabug <ultrabug@gentoo.org> files/5-stable/rsyslog.initd, + -rsyslog-5.8.1.ebuild, +rsyslog-5.8.5.ebuild, metadata.xml: + Init script handles baselayout 1 & 2, fix #373913 thanks to Martin Dummer for + reporting. Version bump wrt #381637 and drop old vulnerable version. Add + optional zeromq support to rsyslog. + Next steps proposed : - ask for 5.8.3 stabilization so we can remove 5.6.5 - wait one month and stabilize 5.8.5 Are you okay with this ?
Thanks Alexys, (In reply to comment #3) > Next steps proposed : > > - ask for 5.8.3 stabilization so we can remove 5.6.5 > - wait one month and stabilize 5.8.5 > > Are you okay with this ? No, we stabilize now the version not affected to CVE (as usual). Arches, please test and mark stable: =app-admin/rsyslog-5.8.5 target KEYWORDS : "amd64 hppa x86"
@maintainer the ebuild seems have differents problems, so not all are a blockers. Please check: bug 381901 bug 381903 bug 381905 bug 381907 bug 381909 bug 381911
All fixed, thanks again Ago.
(In reply to comment #6) > All fixed, thanks again Ago. Thanks. amd64 perfect now.
+ 05 Sep 2011; Tony Vroon <chainsaw@gentoo.org> rsyslog-5.8.5.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in bug + #381637.
Archtested on x86: Everything fine
Stable for HPPA.
Cannot emerge 5.8.5 from stage3, pkgconfig dependency is missing: ... checking for FSSTND support... yes /var/tmp/portage/app-admin/rsyslog-5.8.5/work/rsyslog-5.8.5/configure: line 16014: syntax error near unexpected token `GNUTLS,' /var/tmp/portage/app-admin/rsyslog-5.8.5/work/rsyslog-5.8.5/configure: line 16014: ` PKG_CHECK_MODULES(GNUTLS, gnutls >= 1.4.0)' !!! Please attach the following file when seeking support: !!! /var/tmp/portage/app-admin/rsyslog-5.8.5/work/rsyslog-5.8.5/config.log * ERROR: app-admin/rsyslog-5.8.5 failed (configure phase): * econf failed
PLease open a new bug for this.
x86 stable, thanks JD
Thanks, folks. GLSA Vote: yes.
Thanks guys, old vulnerable versions removed fyi.
CVE-2011-3200 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3200): Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslogd.c in rsyslogd in rsyslog 4.6.x before 4.6.8 and 5.2.0 through 5.8.4 might allow remote attackers to cause a denial of service (application exit) via a long TAG in a legacy syslog message.
Vote: NO.
NO too, closing. Thanks everyone.
