Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2007-01-13 11:39:41 UTC

Created attachment 106787 [details, diff]
bug-229970_ulogd-1.23-strfix.dif

SUSE patch.

Comment 2 Raphael Marichez (Falco) (RETIRED) 2007-01-22 11:32:15 UTC

maintainer needed :(

Unknown impact.

Comment 3 Matthias Geerdsen (RETIRED) 2007-01-22 20:08:07 UTC

http://www.novell.com/linux/security/advisories/2007_01_sr.html

- ulogd potential buffer overflows
     The ulogd logging daemon was updated to fix a potential buffer
     overflow due to improper string length calculations.

     SUSE Linux 9.3 up to 10.1 and openSUSE 10.2 were affected and fixed.


http://secunia.com/advisories/23863/

Description:
A vulnerability with an unknown impact has been reported in ulogd.

The vulnerability is caused due to an unspecified error during the calculation of string lengths and can potentially be exploited to cause a buffer overflow.

Solution:
Due to limited information about this issue, a proper solution cannot be suggested.

Comment 4 Matthias Geerdsen (RETIRED) 2007-01-26 14:37:08 UTC

maintainer-needed mail sent to -dev

I'd be prepared to pick up the package and get it patched up and commited. Wont be done until Sunday/Monday (I'm moving house)

If someone else wants to jump in and do it instead thats fine with me.

Cheers
-Rob

Comment 6 Alec Warner (RETIRED) 2007-02-05 17:42:35 UTC

1.24 is masked, 1.23-r1 with the fix will be in the tree in a few hours

Comment 7 Alec Warner (RETIRED) 2007-02-06 16:15:06 UTC

1.23-r1 is in the tree.

Comment 8 Jakub Moc (RETIRED) 2007-02-07 09:05:46 UTC

(In reply to comment #7)
> 1.23-r1 is in the tree.

You didn't commit the patch so it fails... ;)

Comment 9 Daniel Black (RETIRED) 2007-02-07 09:21:15 UTC

patch is in the tree now too. Thanks analyzer on #gentoo-bugs for pointing it out.

Comment 10 Alec Warner (RETIRED) 2007-02-07 17:56:24 UTC

(In reply to comment #8)
> (In reply to comment #7)
> > 1.23-r1 is in the tree.
> 
> You didn't commit the patch so it fails... ;)
> 

No, I put the patch on the mirrors but failed to modify the ebuild because the patch is too big for the tree (>20k)

Comment 11 Raphael Marichez (Falco) (RETIRED) 2007-02-10 22:25:54 UTC

(In reply to comment #10)

> No, I put the patch on the mirrors but failed to modify the ebuild because the
> patch is too big for the tree (>20k)
> 

Hello Antarus,

Does that work actually ?

Comment 12 Raphael Marichez (Falco) (RETIRED) 2007-03-03 13:31:40 UTC

mmm, i can see that it has already been fixed in 1.23-r1 and already stable for a while.

Security team, glsa? The description is very weak:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0460

Comment 13 Matthias Geerdsen (RETIRED) 2007-03-05 21:12:49 UTC

tending to vote yes

Comment 14 Raphael Marichez (Falco) (RETIRED) 2007-03-09 22:32:25 UTC

security team please vote.

Personnally, i really don't know if a GLSA would be useful...

Comment 15 Pierre-Yves Rofes (RETIRED) 2007-03-12 09:54:46 UTC

tending to vote no here.

Comment 16 Matt Drew (RETIRED) 2007-03-14 02:17:35 UTC

This thing is basically taking raw packets from iptables' ULOG target and dumping them into a database, sorting by protocol type and a few other fields.  In other words, direct unfiltered user input.  I suspect the vulnerability they listed had to do with malformed packets causing the overflows.  It also looks like this thing runs as root (I emerged it and checked - root process, at least on my box). so I vote yes.

Comment 17 Sune Kloppenborg Jeppesen (RETIRED) 2007-03-14 07:34:25 UTC

I tend to vote YES as well.

Comment 18 Raphael Marichez (Falco) (RETIRED) 2007-03-18 21:54:41 UTC

GLSA 200701-17, thanks everybody