It was discovered [1] that syslog-ng 2.0.9 does not call chdir() before chroot, so this effectively leaking the syslog's startup directory to the chrooted environment. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791 Fix: The following patch fixes the things: This issue deserves the following VuXML entry: <vuln vid=""> <topic>Syslog-ng -- startup directory leakage in the chroot environment</topic> <affects> <package> <name>syslog-ng2</name> <range><lt>2.0.9_2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Florian Grandel had reported through the Debian bug tracker that syslong-ng has the security vulnerability associated with the chroot() call.</p> <blockquote cite="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791"> <p>I have not had the time to analyze all of syslog-ng code. But by reading the code section near the chroot call and looking at strace results I believe that syslog-ng does not chdir to the chroot jail's location before chrooting into it.</p> <p>This opens up ways to work around the chroot jail.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-5110</cvename> <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791</url> <url>http://www.openwall.com/lists/oss-security/2008/11/17/3</url> </references> <dates> <discovery>2008-11-15</discovery> </dates> </vuln> --- vuln.xml ends here -----LeYShd6o3LWkde6PbiTUWhB8lPc15O3TlSzS87P8SIaO3kkp Content-Type: text/plain; name="2.0.9_1-to-2.0.9_2-fix-CVE-2008-5110.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="2.0.9_1-to-2.0.9_2-fix-CVE-2008-5110.diff" diff -urN ./Makefile ../syslog-ng2/Makefile --- ./Makefile 2008-11-18 14:31:05.000000000 +0300 +++ ../syslog-ng2/Makefile 2008-11-18 14:31:15.000000000 +0300 @@ -7,7 +7,7 @@ PORTNAME= syslog-ng PORTVERSION= 2.0.9 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= sysutils MASTER_SITES= http://www.balabit.com/downloads/files/syslog-ng/sources/2.0/src/ PKGNAMESUFFIX= 2 diff -urN ./files/patch-CVE-2008-5110 ../syslog-ng2/files/patch-CVE-2008-5110 --- ./files/patch-CVE-2008-5110 1970-01-01 03:00:00.000000000 +0300 +++ ../syslog-ng2/files/patch-CVE-2008-5110 2008-11-18 14:40:00.000000000 +0300 @@ -0,0 +1,22 @@ +Patch for CVE-2008-5110 + +Obtained from: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=14;mbox=yes;bug=505791 +Note: was not able to cleanly apply the original patch, so it was recreated + by hand using the original submission contents + +--- src/main.c.orig 2008-03-23 23:35:27.000000000 +0300 ++++ src/main.c 2008-11-18 14:38:13.000000000 +0300 +@@ -275,6 +275,13 @@ + { + if (chroot_dir) + { ++ if (chdir(chroot_dir) < 0) ++ { ++ msg_error("Error during chdir() before chroot()", ++ evt_tag_errno(EVT_TAG_OSERROR, errno), ++ NULL); ++ return 0; ++ } + if (chroot(chroot_dir) < 0) + { + msg_error("Error during chroot()", How-To-Repeat: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791 http://www.openwall.com/lists/oss-security/2008/11/17/3 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5110 Please, note that CVE-2008-5110 is "too new" now -- ID was just created and no entry seem to be uploaded to the cve.mitre.org yet.
Maintainer of sysutils/syslog-ng2, Please note that PR ports/128960 has just been submitted. If it contains a patch for an upgrade, an enhancement or a bug fix you agree on, reply to this email stating that you approve the patch and a committer will take care of it. The full text of the PR can be found at: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/128960 -- Edwin Groothuis via the GNATS Auto Assign Tool edwin@FreeBSD.org
State Changed From-To: open->feedback Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Patch approved, please commit
Responsible Changed From-To: freebsd-ports-bugs->wxs I'll take it.
wxs 2008-11-18 23:07:15 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: Document syslog-ng2 chroot vulnerability. PR: ports/128960 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Reviewed by: tabthorpe Revision Changes Path 1.1756 +32 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
wxs 2008-11-18 23:21:09 UTC FreeBSD ports repository Modified files: sysutils/syslog-ng2 Makefile Added files: sysutils/syslog-ng2/files patch-src_main.c Log: Add patch to fix chroot vulnerability. PR: ports/128960 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Approved by: Ivan Lago <ivan.lago@ifom-ieo-campus.it> (maintainer) Security: http://www.vuxml.org/freebsd/75f2382e-b586-11dd-95f9-00e0815b8da8.html Revision Changes Path 1.12 +4 -5 ports/sysutils/syslog-ng2/Makefile 1.1 +22 -0 ports/sysutils/syslog-ng2/files/patch-src_main.c (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: feedback->closed Committed, with minor changes. Thanks!