Commit Graph

91 Commits

Author SHA1 Message Date
Joey Schulze
1836e84e94 Ulf Härnhammar <Ulf.Harnhammar.9485@student.uu.se>
Added boundary check for fscanf() in InitKsyms() and CheckMapVersion()
to prevent an unintended crash when reading an incorrect System.map.

Hello,

I have discovered a potential crash bug in sysklogd. The klogd daemon
doesn't handle really malformed System.map files very well. It has
two fscanf() calls with "%s"format strings that stores to char
sym[512] arrays. This causes a crash if the string field in the
file is longer than that.

Despite being a buffer overflow, this is not a security problem, as
only root can change the System.map file. Nevertheless, I think it
is worth fixing, as the Right Thing for a program should be not to
assume anything about its input and to handle various problems well.
2004-07-16 06:48:27 +00:00
Joey Schulze
3bd7b6cfb1 Documentation improvement 2004-07-09 17:33:32 +00:00
Joey Schulze
7740dfd410 Documentation improvements by Greg Trounson <gregt@maths.otago.ac.nz> 2004-07-09 17:22:29 +00:00
Joey Schulze
a09b9865cc Adjust the size of a variable to prevent a buffer overflow
should _PATH_DEV ever contain something different than "/dev/".
2004-05-04 14:52:56 +00:00
Joey Schulze
4205dbebda Minor corrections 2004-05-04 14:50:18 +00:00
Joey Schulze
3ee89e2c0b Patch: sysklogd-1.4.1-owl-longjmp.diff from Openwall
From: Solar Designer <solar@openwall.com>

1. Ensures that "len" is not placed in a register and as such can't be
clobbered by longjmp().  With the particular code, it does not really
matter whether it is clobbered or not, but this avoids the gcc warning.

2. Makes endtty() the signal handler only after the variable that
function uses is initialized.  In the original code, the signal
handler was setup too early and if there would be SIGALRM before
control reaches setjmp(), syslogd would segfault (if not worse).

Basically, this is a minor correctness patch.
2004-05-04 14:49:23 +00:00
Joey Schulze
dcef709022 Patch by Dmitry V. Levin <ldv@altlinux.org>
Close file descriptor in FindSymbolFile() in order not to leak file
  descriptors.
2004-04-29 16:10:10 +00:00
Joey Schulze
ce4a02cbe7 Prevent potential buffer overflow in reading messages from the
kernel log rinbuffer.
2004-04-29 13:29:03 +00:00
Joey Schulze
14fb61b562 Distinguish between MAN_OWNER and MAN_GROUP, introduce MAN_PERMS and
also $(prefix) for convenience
2004-04-29 11:04:03 +00:00
Joey Schulze
e9c3de7bfd From Openwalls: needs to be a USER_PROCESS 2004-04-29 10:58:40 +00:00
Joey Schulze
669d9991b7 Applied Openwall paranoia patches to improve crunch_list(). 2004-04-29 10:39:55 +00:00
Joey Schulze
d7a30653a9 Adjusted the symbol size since on non-32bit architectures a long may
be longer than 4 bytes
2004-04-29 10:11:03 +00:00
Joey Schulze
e5a3bfae19 Added Steve 2004-04-17 16:07:21 +00:00
Joey Schulze
2961c7b794 Patch by Steve Grubb <linux_4ever@yahoo.com> to correct memory calculation 2004-04-17 16:06:16 +00:00
Joey Schulze
962c1cdd2e Added a private module.h with extracted data from Linux 2.2 to replace
<linux/module.h> which creates a number parse errors.
2004-03-31 15:47:08 +00:00
Joey Schulze
a4f715ed8c Updated the changelog file to reflect most recent changes 2003-09-29 17:47:51 +00:00
Joey Schulze
ae499acae2 Moved the installation of the signal handler up a little bit so it
guaranteed to be available when the child is forked, hence, fixing a
race condition.  This used to create problems with UML and fast
machines.  Thanks to Jon Burgess <Jon_Burgess@eur.3com.com>
2003-09-28 10:26:22 +00:00
Joey Schulze
deeeb65d2b Improved documentation 2003-09-28 02:51:38 +00:00
Joey Schulze
071356e5d6 Whoops, looks like O_TRUNC was missing when opening the file,
increasing the chance of left-overs from older pid contents in the
file.
2003-09-28 02:38:18 +00:00
Joey Schulze
0f9873bed4 On heavily loaded systems, some which are probably receiving a lot of
syslog traffic through the network, there's a (not well researched)
problem with receiving messages on the syslog UDP port.  For some
reason recvfrom() results in EAGAIN.  See
http://bugs.debian.org/188194 and
http://www.ussg.iu.edu/hypermail/linux/kernel/0209.1/0218.html
2003-09-27 23:29:02 +00:00
Joey Schulze
5c817e1d38 There's a problem with including kernel-space header files on the
little endian MIPS architecture.  According to Ryan Murray this should
help and also work on all architectures.
2003-09-27 22:05:39 +00:00
Joey Schulze
293bb81f22 Added information about large file support 2003-09-04 13:22:23 +00:00
Joey Schulze
795245bfaa Improved patch by Michael Pomraning <mjp@securepipe.com> to reconnect
klogd to the logger after it went away, so messages won't get lost if
the logger is already around by trying to reopen the socket in time.
2003-08-27 15:56:01 +00:00
Joey Schulze
d672afd83d Applied patch by Michael Pomraning <mjp@securepipe.com> to reconnect
klogd to the logger after it went away.
2003-08-27 15:55:04 +00:00
Joey Schulze
1ff125949b Hopefully this version is easier to understand for non-english speakers. 2003-05-22 19:31:20 +00:00
Joey Schulze
cebe53b7e3 Greg Whynott <greg@fqdn.com> informed us about an obsolete URL. I
found the new location and exchanged it.
2003-04-05 06:36:34 +00:00
Joey Schulze
6fe063ff70 Added ftp facility (Debian Bug#100437) 2002-01-01 12:00:45 +00:00
Joey Schulze
c581cc29dc Fix typo in syslog.conf(5) (Debian Bug#126899) 2002-01-01 11:04:40 +00:00
Joey Schulze
0a03ff4866 Updated documentation to reflect the current location of the mailing
list and my address.
2001-11-20 19:49:33 +00:00
Joey Schulze
48b01b926c * New upstream source (closes: Bug#87819, Bug#70790, Bug#32580,
Bug#62358, Bug#71631)
  * Upstream: Doesn't re-set log-level if not requested (closes:
    Bug#76170, Bug#76170, Bug#85289)
  * Upstream: Ignore zero bytes (closes: Bug#85478, Bug#85478, Bug#41068)
  * Upstream: Corrected documentation for `-s' (closes: Bug#87020)
  * Upstream: test for existence of syslogd-listfiles before calling
    them.  This got lost due to 1.4.0 brokennes which was packaged and
    removed some hours later (closes: Bug#84872, Bug#66712)
  * Applied patch by Tommi Virtanen <tv@debian.org> splitting the package
    into `sysklogd' and `klogd' (closes:Bug#35586, Bug#72043, Bug#74864,
    Bug#72122)
  * Provide / depend on virtual packages system-log-daemon
    and linux-kernel-log-daemon (closes: Bug#67604)
  * Applied patch from Tim Janik <timj@gtk.org> to support `-s pattern' in
    syslogd-listfiles
  * Transition to FHS, i.e. /usr/share/doc instead of /usr/doc and
    /usr/share/man instead of /usr/man (closes:  Bug#79250, Bug#80771)
  * Use --exec for stopping services (closes: Bug#76757)
  * Corrected broken character in klogd.8 (cloes: Bug#75932)
  * Only rotate logfiles with size greater than zero.  This got lost due
    to 1.4.0 brokennes which was packaged and removed some hours later
    (closes: Bug#74993, Bug#49824)
  * Added another note about modificability of cronjobs (closes:
    Bug#88741)
  * Since klogd replaces parts of sysklogd a proper Replaces line is there
  * Added final newline to CHANGES
2001-03-11 23:00:51 +00:00
Joey Schulze
8b02038df4 . Bumped patchlevel
. Changed versioning scheme to version.patchlevel (like 1.4.1)
2001-03-11 19:40:10 +00:00
Joey Schulze
c6edf85cd6 . Removed kernel.patch since it is no longer required
. Changed SOCK_STREAM to SOCK_DGRAM in syslog.c

 . klogd will only change the console log level if `-c' is supplied

 . syslogd.c by Bill Nottingham <notting@redhat.com>

   Um, if the directory is invalid, the bind() call in
   create_unix_socket fails. Without the return -1, we return the
   invalid fd that we just closed.  When syslogd then starts
   listening, select goes into a hard loop getting EBADF, IIRC.

 . klogd.c by Troels Walsted Hansen <troels@thule.no>

   I found a bug in the sysklogd package version 1.4. When it
   encounters a zero byte in the kernel logging output, the text
   parser enters a busy loop. I came upon it when the 3c59x driver
   from kernel 2.4.0 started outputting two zero bytes for the product
   code of my laptop's 3Com card. It could be argued that the kernel
   should never output zero bytes in the logging info, but obviously
   that will happen from time to time.

   I fear this bug might be considered a security issue as well, if
   the kernel can be coerced to output a zero byte somehow, all kernel
   logging will stop.

   Wolfgang Oertl <Wolfgang.Oertl@uibk.ac.at> had a similar bugfix
   idea

 . klogd.c by Thomas Roessler <roessler@does-not-exist.org>

   Additionally, the patch prevents LogLine from being invoked with a
   negative counter as an argument.
2001-03-11 19:35:52 +00:00
Joey Schulze
dffa03bda1 . klogd will only change the console log level if `-c' is supplied
. klogd.c by Troels Walsted Hansen <troels@thule.no>

   I found a bug in the sysklogd package version 1.4. When it
   encounters a zero byte in the kernel logging output, the text
   parser enters a busy loop. I came upon it when the 3c59x driver
   from kernel 2.4.0 started outputting two zero bytes for the product
   code of my laptop's 3Com card. It could be argued that the kernel
   should never output zero bytes in the logging info, but obviously
   that will happen from time to time.

   I fear this bug might be considered a security issue as well, if
   the kernel can be coerced to output a zero byte somehow, all kernel
   logging will stop.

   Wolfgang Oertl <Wolfgang.Oertl@uibk.ac.at> had a similar bugfix
   idea

 . klogd.c by Thomas Roessler <roessler@does-not-exist.org>

   Additionally, the patch prevents LogLine from being invoked with a
   negative counter as an argument.
2001-03-11 19:35:51 +00:00
Joey Schulze
728d79d925 Mon Sep 18 15:33:26 CEST 2000: Martin Schulze <joey@infodrom.ffis.de>
Removed unixm/unix domain sockets and switch to Datagram Unix
    Sockets.  This should remove one possibility to play DoS with
    syslogd.  Thanks to Olaf Kirch <okir@caldera.de> for the patch.
2000-09-18 13:41:33 +00:00
Joey Schulze
f5c0fbfb22 Added patch to fix priority decoding after moving kernel messgages
into "%s".  Thanks to Solar Designer <solar@false.com> for the patch.

This refers to CVE-2000-0867
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0867

  Kernel logging daemon (klogd) in Linux does not properly cleanse
  user-injected format strings, which allows local users to gain root
  privileges by triggering malformed kernel messages.

Except, users cannot insert arbitrary strings in the kernel log
rinbuffer, can they?
2000-09-18 07:34:12 +00:00
Joey Schulze
d2a6fb08dc Mon Sep 18 09:32:27 CEST 2000: Martin Schulze <joey@infodrom.ffis.de>
Added patch to fix priority decoding after moving kernel
      messgages into "%s".  Thanks to Solar Designer
      <solar@false.com> for the patch.
2000-09-18 07:34:11 +00:00
Joey Schulze
e791826bd5 bump up the version 2000-09-18 07:33:58 +00:00
Joey Schulze
5433c6018b Mon Sep 18 09:10:47 CEST 2000: Martin Schulze <joey@infodrom.ffis.de>
Fixed bug in printchopped() that caused syslogd to emit
      kern.emerg messages when splitting long lines.  Thanks to
      Daniel Jacobowitz <dan@debian.org> for the fix.
2000-09-18 07:13:08 +00:00
Joey Schulze
03f751675f Last preparation for 1.4 2000-09-17 19:44:52 +00:00
Joey Schulze
8638c1710e Removed old announce 2000-09-17 19:42:58 +00:00
Joey Schulze
a1775f1d8c Sun Sep 17 21:26:16 CEST 2000: Martin Schulze <joey@infodrom.ffis.de>
Don't close open sockets upon reload.  Thanks to Bill Nottingham.
2000-09-17 19:30:50 +00:00
Joey Schulze
afcd97602f Sun Sep 17 20:45:33 CEST 2000: Martin Schulze <joey@infodrom.ffis.de>
Fixed some bugs in printline() code that did not escape
      control characters '\177' through '\237' and contained a
      single-byte buffer overflow.  Thanks to Solar Designer
      <solar@false.com>.
2000-09-17 18:49:39 +00:00
Joey Schulze
50539e29d4 . Close symbol file before returning with 0 when an error occurred
while reading it.  This will enable systems to umount that
   partition with no open file descriptor left over.
2000-09-12 21:53:31 +00:00
Joey Schulze
2c81663786 . Use lseek64() instead of llseek() which is deprecated these days
. Keith Owens <kaos@ocs.com.au>
   - Fixed bug that caused klogd to die if there is no sym_array available.
   - When symbols are expanded, print the line twice.  Once with
     addresses converted to symbols, once with the raw text.  Allows
     external programs such as ksymoops do their own processing on the
     original data.
2000-09-12 21:15:28 +00:00
Joey Schulze
955a093c05 Two spaces after fullstop. 1999-08-21 10:49:14 +00:00
Joey Schulze
8440db2b28 . Started with CHANGES file
. Skip newline when reading in klog messages
1999-08-21 10:28:44 +00:00
Joey Schulze
263b17247e Adjustments 1999-08-21 10:26:42 +00:00
Joey Schulze
c762d84561 * Fixed typo in syslogd-listfiles (closes: Bug#35408)
* Removed superflous call to utmpname() (closes: Bug#34733)
  * Added --ignore-size and limit for rotating log files at 2MB to
    syslogd-listfiles (closes: Bug#36198)
1999-05-23 08:41:06 +00:00
Joey Schulze
64ce6b452e Args, the last commit contained some mistakes. 1999-01-19 11:31:58 +00:00
Joey Schulze
68b50092c7 * ``-m 0'' turns off -- MARK -- now. (closes: Bug#28629, Bug#31494)
* Changed Greg's e-mail address to represent his current one.
  * Shortened line length for kernel logging slightly.
  * Corrected return value of AddModule (closes: Bug#30093)
  * Finally fixed an error with `-a' processing, thanks to Topi Miettinen
    <tom@medialab.sonera.net> (closes: Bug#30462)
1999-01-19 00:09:12 +00:00