Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 387397 (CVE-2011-3626) - <app-admin/logsurfer+-1.8 Double-free Vulnerability (CVE-2011-3626)
Summary: <app-admin/logsurfer+-1.8 Double-free Vulnerability (CVE-2011-3626)
Status: RESOLVED FIXED
Alias: CVE-2011-3626
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-10-17 11:25 UTC by Sean Amoss
Modified: 2012-02-21 03:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss gentoo-dev Security 2011-10-17 11:25:52 UTC
From CVE request at $URL:

Gregor Kopf of Recurity Labs GmbH found a double-free vulnerability in
Logsurfer affecting the function prepare_exec(). The vulnerability is caused by
an insufficient treatment of an error condition that is returned by the
function get_word() when it is unable to correctly parse its input.

The following versions of logsurfer are affected:

 Logsurfer 1.5b and previous versions
 Logsurfer+ 1.7 and previous versions

A patch is available at http://logsurfer.git.sourceforge.net/git/gitweb.cgi?p=logsurfer/logsurfer;a=commit;h=07983748da9ea3d4954b80f02fed692fe21b1134
Comment 1 MATSUU Takuto (RETIRED) gentoo-dev 2011-10-23 23:08:41 UTC
1.8 in cvs.
please mark stable app-admin/logsurfer+-1.8.
Comment 2 Sean Amoss gentoo-dev Security 2011-10-23 23:29:11 UTC
Thanks.

Arches, please test and mark stable:
=app-admin/logsurfer+-1.8
Target KEYWORDS="amd64 x86"
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2011-10-24 06:14:55 UTC
amd64;

all ok but for

archtester xen-tools # /etc/init.d/logsurfer stop
 * Stopping logsurfer ...
 * start-stop-daemon: fopen `/var/run/logsurfer.pid': No such file or directo [ ok ]

Do you call this a bug?
Comment 4 Agostino Sarubbo gentoo-dev 2011-10-24 21:48:55 UTC
(In reply to comment #3)
> Do you call this a bug?

Yep, it does not create a pif file and the program does not running imho.


amd64box ~ # /etc/init.d/logsurfer start
logsurfer       | * Caching service dependencies ...                                                                                                                          [ ok ]
logsurfer       | * Starting logsurfer ...                                                                                                                                    [ ok ]

amd64box ~ # ps aux | grep logs
root     14997  0.0  0.0   6288   576 pts/0    S+   23:47   0:00 grep --colour=auto logs
Comment 5 Michael Harrison 2011-11-11 15:21:46 UTC
Ditto Agostino and Ian
Comment 6 MATSUU Takuto (RETIRED) gentoo-dev 2011-11-11 16:45:52 UTC
sorry for delay.
1.8-r1 in cvs. Could you test it?
Comment 7 Agostino Sarubbo gentoo-dev 2011-11-11 18:38:06 UTC
(In reply to comment #6)
> sorry for delay.
> 1.8-r1 in cvs. Could you test it?

amd64box ~ # /etc/init.d/logsurfer start
logsurfer          | * Caching service dependencies ...                                                                                                                       [ ok ]
logsurfer          | * /var/run/logsurfer.pid: creating file
logsurfer          | * checkpath: correcting mode
logsurfer          | * /var/run/logsurfer.pid: correcting owner
logsurfer          | * Starting logsurfer ...
logsurfer          |error in match_not_regex of rule: BZh91AY&SY��&�_o߀P0|����������`��/`;��D�
logsurfer          |config error arround line 2: BZh91AY&SY��&�_o߀P0|����������`��/`;��D�
logsurfer          | * start-stop-daemon: failed to start `/usr/bin/logsurfer'
logsurfer          | * Failed to start logsurfer                                                                                                                              [ !! ]
logsurfer          | * ERROR: logsurfer failed to start
Comment 8 MATSUU Takuto (RETIRED) gentoo-dev 2011-11-12 02:03:23 UTC
I guess that it has some compatible issue between 1.7 and 1.8.
Could you put your logsurfer.conf here?
Comment 9 Agostino Sarubbo gentoo-dev 2011-11-12 10:28:45 UTC
probably is my bad, can you attach a valid conf here?
Comment 10 MATSUU Takuto (RETIRED) gentoo-dev 2011-11-12 11:00:55 UTC
You can get some samples from upstream git tree.
git clone git://logsurfer.git.sourceforge.net/gitroot/logsurfer/config-examples
http://logsurfer.git.sourceforge.net/git/gitweb.cgi?p=logsurfer/config-examples;a=summary
Comment 11 Michael Harrison 2011-11-12 12:16:51 UTC
I actually used a blank logsurfer.conf
Comment 12 Agostino Sarubbo gentoo-dev 2011-11-12 12:42:41 UTC
well, ok for me on amd64.
Comment 13 Michael Harrison 2011-11-12 13:07:47 UTC
With this as my /etc/logsurfer.conf
'.*' - - - 0 exec "/bin/echo $0"

Output to the console stalled about one out of five times, and upon ^C received:

^Cexiting program - please wait...
dumping state to /dev/null
sending timeout to contexts...
cleaning up memory...
*** glibc detected *** logsurfer: double free or corruption (fasttop): 0x0000000000613fa0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x75916)[0x7fb170aa7916]
/lib64/libc.so.6(cfree+0x6c)[0x7fb170aac7cc]
logsurfer[0x403a95]
logsurfer[0x403b87]
/lib64/libc.so.6(+0x35960)[0x7fb170a67960]
/lib64/libc.so.6(nanosleep+0x10)[0x7fb170ad64d0]
/lib64/libc.so.6(sleep+0xdf)[0x7fb170ad637f]
logsurfer[0x403bb6]
logsurfer[0x404813]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7fb170a53e9d]
logsurfer[0x4018d9]
======= Memory map: ========
00400000-00410000 r-xp 00000000 08:03 13951264                           /usr/bin/logsurfer
0060f000-00610000 r--p 0000f000 08:03 13951264                           /usr/bin/logsurfer
00610000-00611000 rw-p 00010000 08:03 13951264                           /usr/bin/logsurfer
00611000-00633000 rw-p 00000000 00:00 0                                  [heap]
7fb16c000000-7fb16c021000 rw-p 00000000 00:00 0 
7fb16c021000-7fb170000000 ---p 00000000 00:00 0 
7fb17081c000-7fb170831000 r-xp 00000000 08:03 795269                     /lib64/libgcc_s.so.1
7fb170831000-7fb170a30000 ---p 00015000 08:03 795269                     /lib64/libgcc_s.so.1
7fb170a30000-7fb170a31000 r--p 00014000 08:03 795269                     /lib64/libgcc_s.so.1
7fb170a31000-7fb170a32000 rw-p 00015000 08:03 795269                     /lib64/libgcc_s.so.1
7fb170a32000-7fb170b94000 r-xp 00000000 08:03 786463                     /lib64/libc-2.12.2.so
7fb170b94000-7fb170d93000 ---p 00162000 08:03 786463                     /lib64/libc-2.12.2.so
7fb170d93000-7fb170d97000 r--p 00161000 08:03 786463                     /lib64/libc-2.12.2.so
7fb170d97000-7fb170d98000 rw-p 00165000 08:03 786463                     /lib64/libc-2.12.2.so
7fb170d98000-7fb170d9d000 rw-p 00000000 00:00 0 
7fb170d9d000-7fb170dbb000 r-xp 00000000 08:03 786745                     /lib64/ld-2.12.2.so
7fb170f8f000-7fb170f92000 rw-p 00000000 00:00 0 
7fb170fb9000-7fb170fba000 rw-p 00000000 00:00 0 
7fb170fba000-7fb170fbb000 r--p 0001d000 08:03 786745                     /lib64/ld-2.12.2.so
7fb170fbb000-7fb170fbc000 rw-p 0001e000 08:03 786745                     /lib64/ld-2.12.2.so
7fb170fbc000-7fb170fbd000 rw-p 00000000 00:00 0 
7fffebe79000-7fffebe9a000 rw-p 00000000 00:00 0                          [stack]
7fffebfff000-7fffec000000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted
Comment 14 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-11-13 02:42:05 UTC
amd64: pass
Comment 15 Myckel Habets 2011-11-14 14:24:05 UTC
Builds and runs fine on x86. Please mark stable for x86.
Comment 16 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-11-17 18:52:55 UTC
x86 stable
Comment 17 Markos Chandras (RETIRED) gentoo-dev 2011-11-19 09:58:41 UTC
amd64 done. Thanks Agostino, Ian, Elijah and Michael
Comment 18 Sean Amoss gentoo-dev Security 2011-11-19 12:43:25 UTC
Thanks everyone. GLSA request filed.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2012-01-20 20:50:31 UTC
This issue was resolved and addressed in
 GLSA 201201-04 at http://security.gentoo.org/glsa/glsa-201201-04.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 03:57:48 UTC
CVE-2011-3626 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3626):
  Double free vulnerability in the prepare_exec function in src/exec.c in
  Logsurfer 1.5b and earlier, and Logsurfer+ 1.7 and earlier, allows remote
  attackers to execute arbitrary commands via crafted strings in a log file.