Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 161882

Summary: app-admin/ulogd: possible buffer overflow (SUSE security patch) (CVE-2007-0460)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: basic
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.novell.com/linux/security/advisories/2007_01_sr.html
Whiteboard: B? [glsa] Falco
Package list:
Runtime testing required: ---
Attachments:
Description Flags
bug-229970_ulogd-1.23-strfix.dif none

Description Sune Kloppenborg Jeppesen gentoo-dev 2007-01-13 11:37:18 UTC
SUSE patched ulogd buffer handling etc. Havne't had time to look at the bug so I'm filing it under auditing for now.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2007-01-13 11:39:41 UTC
Created attachment 106787 [details, diff]
bug-229970_ulogd-1.23-strfix.dif

SUSE patch.
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-22 11:32:15 UTC
maintainer needed :(

Unknown impact.
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-22 20:08:07 UTC
http://www.novell.com/linux/security/advisories/2007_01_sr.html

- ulogd potential buffer overflows
     The ulogd logging daemon was updated to fix a potential buffer
     overflow due to improper string length calculations.

     SUSE Linux 9.3 up to 10.1 and openSUSE 10.2 were affected and fixed.


http://secunia.com/advisories/23863/

Description:
A vulnerability with an unknown impact has been reported in ulogd.

The vulnerability is caused due to an unspecified error during the calculation of string lengths and can potentially be exploited to cause a buffer overflow.

Solution:
Due to limited information about this issue, a proper solution cannot be suggested.

Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-26 14:37:08 UTC
maintainer-needed mail sent to -dev
Comment 5 Rob Clark 2007-01-26 21:34:05 UTC
I'd be prepared to pick up the package and get it patched up and commited. Wont be done until Sunday/Monday (I'm moving house)

If someone else wants to jump in and do it instead thats fine with me.

Cheers
-Rob
Comment 6 Alec Warner archtester Gentoo Infrastructure gentoo-dev Security 2007-02-05 17:42:35 UTC
1.24 is masked, 1.23-r1 with the fix will be in the tree in a few hours
Comment 7 Alec Warner archtester Gentoo Infrastructure gentoo-dev Security 2007-02-06 16:15:06 UTC
1.23-r1 is in the tree.
Comment 8 Jakub Moc (RETIRED) gentoo-dev 2007-02-07 09:05:46 UTC
(In reply to comment #7)
> 1.23-r1 is in the tree.

You didn't commit the patch so it fails... ;)

Comment 9 Daniel Black (RETIRED) gentoo-dev 2007-02-07 09:21:15 UTC
patch is in the tree now too. Thanks analyzer on #gentoo-bugs for pointing it out.
Comment 10 Alec Warner archtester Gentoo Infrastructure gentoo-dev Security 2007-02-07 17:56:24 UTC
(In reply to comment #8)
> (In reply to comment #7)
> > 1.23-r1 is in the tree.
> 
> You didn't commit the patch so it fails... ;)
> 

No, I put the patch on the mirrors but failed to modify the ebuild because the patch is too big for the tree (>20k)
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 22:25:54 UTC
(In reply to comment #10)

> No, I put the patch on the mirrors but failed to modify the ebuild because the
> patch is too big for the tree (>20k)
> 

Hello Antarus,

Does that work actually ?

Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-03 13:31:40 UTC
mmm, i can see that it has already been fixed in 1.23-r1 and already stable for a while.

Security team, glsa? The description is very weak:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0460
Comment 13 Matthias Geerdsen (RETIRED) gentoo-dev 2007-03-05 21:12:49 UTC
tending to vote yes
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-09 22:32:25 UTC
security team please vote.

Personnally, i really don't know if a GLSA would be useful...
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-03-12 09:54:46 UTC
tending to vote no here.
Comment 16 Matt Drew (RETIRED) gentoo-dev 2007-03-14 02:17:35 UTC
This thing is basically taking raw packets from iptables' ULOG target and dumping them into a database, sorting by protocol type and a few other fields.  In other words, direct unfiltered user input.  I suspect the vulnerability they listed had to do with malformed packets causing the overflows.  It also looks like this thing runs as root (I emerged it and checked - root process, at least on my box). so I vote yes.
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-14 07:34:25 UTC
I tend to vote YES as well.
Comment 18 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-18 21:54:41 UTC
GLSA 200701-17, thanks everybody