Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 249878

Summary: app-admin/rsyslog < 3.20.2 and < 3.21.9 "AllowedSender" Security Bypass Vulnerability and DoS (CVE-2008-{5617,5618})
Product: Gentoo Security Reporter: Bruno Buss <bruno.buss>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: dev-zero
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.rsyslog.com/Article324.phtml
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 246290    

Description Bruno Buss 2008-12-05 00:34:02 UTC 
They released 3.20.1 but take that down, to put another one - 3.20.2 - that also fix a DoS.

Here is the Secunia link for the vuln that 3.20.1 fix:
http://secunia.com/advisories/32857/
Comment 1 Bruno Buss 2008-12-05 00:43:01 UTC 
Added that this blocks bug 246290.
Comment 2 stupendoussteve 2008-12-05 00:43:40 UTC 
This vulnerability affects 3.12.1 through 3.20.0, so only rsyslog-3.18.4 from the tree is affected (suggest removal).
Comment 3 Bruno Buss 2008-12-05 01:00:16 UTC 
(In reply to comment #2)
> This vulnerability affects 3.12.1 through 3.20.0, so only rsyslog-3.18.4 from
> the tree is affected (suggest removal).
> 

Maybe not.
3.20.x is the v3-stable branch.
3.21.x is the v3-beta branch.

They also released 3.21.8 and 3.21.9 that fixes the same vulns that 3.20.1/3.20.2 fixes:
http://www.rsyslog.com/Article327.phtml

(Sorry, i just see this now, if i saw this before it will be in the bug summary/description).

So, both versions in portage tree are vulnerable.

We should update the bug summary?
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2008-12-06 15:09:47 UTC 
I'd say we remove 3.18.4 and push an ebuild for 3.21.9 into the tree. Maybe 3.20.2 could be added, too as that's the stable line (I'll leave that to the maintainer).
Comment 5 Tiziano Müller (RETIRED) gentoo-dev 2008-12-08 12:54:04 UTC 
Ok, new versions in the tree, affected versions dropped and stabilization request for 3.18.x withdrawn.
Thanks for letting me now.
Security, your turn.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2008-12-09 21:36:20 UTC 
Thanks, closing noglsa.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 16:12:04 UTC 
CVE-2008-5617 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5617):
  The ACL handling in rsyslog 3.12.1 to 3.20.0, 4.1.0, and 4.1.1 does
  not follow $AllowedSender directive, which allows remote attackers to
  bypass intended access restrictions and spoof log messages or create
  a large number of spurious messages.

CVE-2008-5618 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5618):
  imudp in rsyslog 4.x before 4.1.2, 3.21 before 3.21.9 beta, and 3.20
  before 3.20.2 generates a message even when it is sent by an
  unauthorized sender, which allows remote attackers to cause a denial
  of service (disk consumption) via a large number of spurious messages.