Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 369069 (CVE-2011-1951)

Summary: <app-admin/syslog-ng-3.2.4: Remote Denial of Service (CVE-2011-1951)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alexanderyt, mr_bones_
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.balabit.hu/pipermail/syslog-ng/2011-May/016576.html
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 370845    
Bug Blocks:    

Description Tim Sammut (RETIRED) gentoo-dev 2011-05-28 18:14:31 UTC 
From $URL:

        * A bug was found in the pcre implementation for subst(). If the
          "global" flag is specified and pcre returns an error, an infinite
          loop is created, consuming memory in the process. It is triggered
          by PCRE 8.12, but could potentially affect older versions too.

Michael, 3.2.4 is already in the tree. Is it suitable for stabilization?
Comment 1 Agostino Sarubbo gentoo-dev 2011-05-28 19:13:59 UTC 
@tim 

No problem with it on my server =)
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-06-05 17:23:05 UTC 
(In reply to comment #1)
> @tim 
> 
> No problem with it on my server =)

Thanks, Agostino. ;)

Mr. Bones, ping?
Comment 3 Mr. Bones. (RETIRED) gentoo-dev 2011-06-09 17:21:59 UTC 
added bug #370845 for the stablereq
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-06-09 18:11:15 UTC 
(In reply to comment #3)
> added bug #370845 for the stablereq

Great, thank you.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-07-09 18:32:12 UTC 
Thanks, folks. GLSA request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 22:34:57 UTC 
CVE-2011-1951 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1951):
  lib/logmatcher.c in Balabit syslog-ng before 3.2.4, when the global flag is
  set and when using PCRE 8.12 and possibly other versions, allows remote
  attackers to cause a denial of service (memory consumption) via a message
  that does not match a regular expression.
Comment 7 Mr. Bones. (RETIRED) gentoo-dev 2013-05-10 22:42:16 UTC 
what's the next step in getting this closed?
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2014-11-09 16:30:08 UTC 
(In reply to Mr. Bones. from comment #7)
> what's the next step in getting this closed?

Releasing a GLSA. 

Please read the note at the bottom of bugzilla about NOT closing security bugs.
Comment 9 Mr. Bones. (RETIRED) gentoo-dev 2014-11-09 17:29:49 UTC 
Then get it done.  Three years makes a GLSA irrelevant.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:38:04 UTC 
This issue was resolved and addressed in
 GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).