SUSE patched ulogd buffer handling etc. Havne't had time to look at the bug so I'm filing it under auditing for now.
Created attachment 106787 [details, diff]
maintainer needed :(
- ulogd potential buffer overflows
The ulogd logging daemon was updated to fix a potential buffer
overflow due to improper string length calculations.
SUSE Linux 9.3 up to 10.1 and openSUSE 10.2 were affected and fixed.
A vulnerability with an unknown impact has been reported in ulogd.
The vulnerability is caused due to an unspecified error during the calculation of string lengths and can potentially be exploited to cause a buffer overflow.
Due to limited information about this issue, a proper solution cannot be suggested.
maintainer-needed mail sent to -dev
I'd be prepared to pick up the package and get it patched up and commited. Wont be done until Sunday/Monday (I'm moving house)
If someone else wants to jump in and do it instead thats fine with me.
1.24 is masked, 1.23-r1 with the fix will be in the tree in a few hours
1.23-r1 is in the tree.
(In reply to comment #7)
> 1.23-r1 is in the tree.
You didn't commit the patch so it fails... ;)
patch is in the tree now too. Thanks analyzer on #gentoo-bugs for pointing it out.
(In reply to comment #8)
> (In reply to comment #7)
> > 1.23-r1 is in the tree.
> You didn't commit the patch so it fails... ;)
No, I put the patch on the mirrors but failed to modify the ebuild because the patch is too big for the tree (>20k)
(In reply to comment #10)
> No, I put the patch on the mirrors but failed to modify the ebuild because the
> patch is too big for the tree (>20k)
Does that work actually ?
mmm, i can see that it has already been fixed in 1.23-r1 and already stable for a while.
Security team, glsa? The description is very weak:
tending to vote yes
security team please vote.
Personnally, i really don't know if a GLSA would be useful...
tending to vote no here.
This thing is basically taking raw packets from iptables' ULOG target and dumping them into a database, sorting by protocol type and a few other fields. In other words, direct unfiltered user input. I suspect the vulnerability they listed had to do with malformed packets causing the overflows. It also looks like this thing runs as root (I emerged it and checked - root process, at least on my box). so I vote yes.
I tend to vote YES as well.
GLSA 200701-17, thanks everybody