|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Robert Buchholz (rbu
gentoo.org)
Date: Sun Jul 12 2009 - 12:42:50 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200907-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Low
Title: Syslog-ng: Chroot escape
Date: July 12, 2009
Bugs: #247278
ID: 200907-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Syslog-ng does not properly initialize its chroot jail allowing for an
escape if a separate vulnerability in Syslog-ng is exploited.
Background
==========
Syslog-ng is a flexible and scalable system logger.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-admin/syslog-ng < 2.1.3 *>= 2.0.10
>= 2.1.3
Description
===========
Florian Grandel reported that Syslog-ng does not call chdir() before
chroot() which leads to an inherited file descriptor to the current
working directory.
Impact
======
A local attacker might exploit a separate vulnerability in Syslog-ng
and use this vulnerability to escape the chroot jail.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Syslog-ng 2.0 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-2.0.10"
All Syslog-ng 2.1 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-2.1.3"
References
==========
[ 1 ] CVE-2008-5110
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5110
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200907-10.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
iQIcBAABCAAGBQJKWiCcAAoJECaaHo/OfoM5zG4P/iLRe3AzkN88l1RAZ7i1nWb9
zVNmjs6y7Vly+IETamOH8DpYkbo3MC+yzhCsKyBRq00cSfd5SLtQjigi2xAcqyi+
yVLtECw9xsIG7dOy0Rm9UH0i7dM0FwYeK9xA40xQSNvohttUX7iL8bj/5W3JGzTP
fwOToL/gRlp0enwmFDWL4xgrVEEkgskG0+GGBos3EeCCVNX6vTzL4kkGTBHuvV0q
/iHVbAWqBJbTFNklm0xA8qHNQQ/C8vYMN7NpBCOWMsajqXcoTWcU0V9b6jiKMjee
1V0BRnYFPHedjZUnIimQdZ8CK6nr88J/uZZZiMNB4DZB+d1VJdrchB3NgMJkiMJh
MoZPJtl2FcyQXPd7y8/UBmWAqt5B+d5Y0UXCw/UETuj/c11nL7RFVPAIl6eDlh30
Iu6QEmIYRGPfj9ftxraLIbEw5FI3hXhPeLoQguVsXuHF6W5aIdVSpvNdWFz+DjFK
YRKuXGMJt82GkKVx7H1bWqM6RXbUDnc1DlsDI5fMYxvq3Go35kdkVo2svb/rwguN
sdWidmj+Exfa4gNYTC+w9RktXEDvQPM3MR8Wloe+XURhPaj4KANnNc2y8h4TQFuT
MWOJDDme97utttcAPESNSDkisGXwuoKZL6I4K2ntAhaUoFr9fqXQQ3KCtosrMhYh
2ep/9fgvFCp6eQInFXI+
=8TqN
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]