From owner-freebsd-ports-bugs@FreeBSD.ORG Tue Nov 18 12:00:11 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E95FF10656B1; Tue, 18 Nov 2008 12:00:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8CE7D8FC0C; Tue, 18 Nov 2008 12:00:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAIC0AEX036476; Tue, 18 Nov 2008 12:00:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAIC09id036474; Tue, 18 Nov 2008 12:00:09 GMT (envelope-from gnats) Resent-Date: Tue, 18 Nov 2008 12:00:09 GMT Resent-Message-Id: <200811181200.mAIC09id036474@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: freebsd-security@freebsd.org, ivan.lago@ifom-ieo-campus.it Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 86AF8106564A for ; Tue, 18 Nov 2008 11:59:59 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 3B4748FC26 for ; Tue, 18 Nov 2008 11:59:59 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from shadow.codelabs.ru (shadow.codelabs.ru [144.206.177.8]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L2PFO-0006wt-6T for FreeBSD-gnats-submit@freebsd.org; Tue, 18 Nov 2008 14:59:58 +0300 Received: by shadow.codelabs.ru (Postfix, from userid 1001) id E4FB717116; Tue, 18 Nov 2008 14:59:57 +0300 (MSK) Message-Id: <20081118115957.E4FB717116@shadow.codelabs.ru> Date: Tue, 18 Nov 2008 14:59:57 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: freebsd-security@freebsd.org, ivan.lago@ifom-ieo-campus.it Cc: Subject: ports/128960: [patch] [vuxml] fix chroot issue in the sysutils/syslog-ng2 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 12:00:11 -0000 >Number: 128960 >Category: ports >Synopsis: [patch] [vuxml] fix chroot issue in the sysutils/syslog-ng2 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Nov 18 12:00:09 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: It was discovered [1] that syslog-ng 2.0.9 does not call chdir() before chroot, so this effectively leaking the syslog's startup directory to the chrooted environment. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791 >How-To-Repeat: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791 http://www.openwall.com/lists/oss-security/2008/11/17/3 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5110 Please, note that CVE-2008-5110 is "too new" now -- ID was just created and no entry seem to be uploaded to the cve.mitre.org yet. >Fix: The following patch fixes the things: --- 2.0.9_1-to-2.0.9_2-fix-CVE-2008-5110.diff begins here --- diff -urN ./Makefile ../syslog-ng2/Makefile --- ./Makefile 2008-11-18 14:31:05.000000000 +0300 +++ ../syslog-ng2/Makefile 2008-11-18 14:31:15.000000000 +0300 @@ -7,7 +7,7 @@ PORTNAME= syslog-ng PORTVERSION= 2.0.9 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= sysutils MASTER_SITES= http://www.balabit.com/downloads/files/syslog-ng/sources/2.0/src/ PKGNAMESUFFIX= 2 diff -urN ./files/patch-CVE-2008-5110 ../syslog-ng2/files/patch-CVE-2008-5110 --- ./files/patch-CVE-2008-5110 1970-01-01 03:00:00.000000000 +0300 +++ ../syslog-ng2/files/patch-CVE-2008-5110 2008-11-18 14:40:00.000000000 +0300 @@ -0,0 +1,22 @@ +Patch for CVE-2008-5110 + +Obtained from: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=14;mbox=yes;bug=505791 +Note: was not able to cleanly apply the original patch, so it was recreated + by hand using the original submission contents + +--- src/main.c.orig 2008-03-23 23:35:27.000000000 +0300 ++++ src/main.c 2008-11-18 14:38:13.000000000 +0300 +@@ -275,6 +275,13 @@ + { + if (chroot_dir) + { ++ if (chdir(chroot_dir) < 0) ++ { ++ msg_error("Error during chdir() before chroot()", ++ evt_tag_errno(EVT_TAG_OSERROR, errno), ++ NULL); ++ return 0; ++ } + if (chroot(chroot_dir) < 0) + { + msg_error("Error during chroot()", --- 2.0.9_1-to-2.0.9_2-fix-CVE-2008-5110.diff ends here --- This issue deserves the following VuXML entry: --- vuln.xml begins here --- Syslog-ng -- startup directory leakage in the chroot environment syslog-ng2 2.0.9_2

Florian Grandel had reported through the Debian bug tracker that syslong-ng has the security vulnerability associated with the chroot() call.

I have not had the time to analyze all of syslog-ng code. But by reading the code section near the chroot call and looking at strace results I believe that syslog-ng does not chdir to the chroot jail's location before chrooting into it.

This opens up ways to work around the chroot jail.

 CVE-2008-5110 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791 http://www.openwall.com/lists/oss-security/2008/11/17/3 2008-11-15 --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: