Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 247278 (CVE-2008-5110) - <app-admin/syslog-ng-2.1.3 no chdir() before chroot() (CVE-2008-5110)
Summary: <app-admin/syslog-ng-2.1.3 no chdir() before chroot() (CVE-2008-5110)
Alias: CVE-2008-5110
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on:
Reported: 2008-11-17 22:04 UTC by stupendoussteve
Modified: 2009-07-12 17:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description stupendoussteve 2008-11-17 22:04:14 UTC
Syslog-ng does not call chdir() before chroot() which may allow the application to break out of a chroot jail.

CVE is new and has not yet been uploaded.

Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2009-05-22 19:00:54 UTC
Seems this bug has been overlooked for some time.

I just investigated this issue. Here are my results:

Debian's patch suggests using chdir(chroot_dir) and then chroot(chroot_dir). The thread on openwall linked in comment #0, however, raises some concerns about race conditions and suggests using either chdir(chroot_dir) and then chroot("."), or chroot(chroot_dir) first and then chdir("/"). Upstream used the latter approach and also solved all the other concerns raised in the openwall thread.

This leads us to the fixed versions:
2.0.* until 2.0.9 is vulnerable, 2.0.10 is fixed.
2.1.* until 2.1.2 is vulnerable, 2.1.3 is fixed.

2.1.3 is already stable on all arches, so no stabilization needs to be done here. Since the issue at hand is only exploitable with another separate vulnerability, I don't think a GLSA is necessary. In fact, I wasn't even able to find a detailed (upstream) advisory about this.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 11:11:22 UTC
not a vulnerability in itself, but this is a high profile daemon and bringing visibility to this kind of vulnerability is a good thing.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-07-12 17:51:37 UTC
GLSA 200907-10