Re: [Linux] klogd 1.3-22 buffer overflow

lcamtufIDS.PL

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Aleph One: "Update to Microsoft Security Bulletin (MS98-015)"
• Previous message: Phillip Vandry: "Re: KDE 1.0's klock can be used to gain root priveledges"
• In reply to: Martin Schulze: "Re: [Linux] klogd 1.3-22 buffer overflow"
• Next in thread: Mike: "Re: [Linux] klogd 1.3-22 buffer overflow"

On Tue, 17 Nov 1998, Martin Schulze wrote:

> I'm the co-maintainer of the Linux sysklogd package which contains the
> klogd program for which a buffer overrun has been reported last week.
>
> First of all I'd like to complain about two things:
>
>  a) The reports weren't made against the current version of the
>     package.  The source for it is well known on sunsite.unc.edu as
>     well as various mirrors.

Reported vunerability is present in most of recent Linux distributions,
including RH 5.x and Slackware 3.x, as stated in original post. I reported
vunerability in these distributions.

> I dare to say, but this bug was fixed *two* years ago:

Heh, see above. Problem is reproductible at least on RH/Slackware
distributions with latest sysklogd packages. If this problem has been
fixed two years ago - huh, vendors are dumb, or noone even heard about
last two years...

_______________________________________________________________________
Michal Zalewski [lcamtufids.pl] [ENSI / marchew] [dione.ids.pl SYSADM]
[http://linux.lepszy.od.kobiety.pl/~lcamtuf/] <=--=> bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]

• Next message: Aleph One: "Update to Microsoft Security Bulletin (MS98-015)"
• Previous message: Phillip Vandry: "Re: KDE 1.0's klock can be used to gain root priveledges"
• In reply to: Martin Schulze: "Re: [Linux] klogd 1.3-22 buffer overflow"
• Next in thread: Mike: "Re: [Linux] klogd 1.3-22 buffer overflow"