[SECURITY] CVE-2007-6437 prone to denial of service attack

Bug #183389 reported by Cody A.W. Somerville on 2008-01-16
6
Affects Status Importance Assigned to Milestone
syslog-ng (Debian)
Fix Released
Unknown
syslog-ng (Ubuntu)
Undecided
Unassigned
Edgy
High
Unassigned
Feisty
High
Unassigned
Gutsy
High
Unassigned

Bug Description

Binary package hint: syslog-ng

Balabit syslog-ng 2.0.x before 2.0.6 and 2.1.x before 2.1.8 allows remote attackers to cause a denial of service (crash) via a message with a timestamp that does not contain a trailing space, which triggers a NULL pointer dereference. This has been fixed in the latest upload to Hardy.

References:
     - http://git.balabit.hu/?p=bazsi/syslog-ng-2.0.git;a=commitdiff;h=3126ebad217e7fd6356f4733ca33f571aa87a170
     - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6437
     - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457334

debdiff syslog-ng_2.0.0-1ubuntu1.dsc syslog-ng_2.0.0-1ubuntu1.1.dsc > syslog-ng_2.0.0-1ubuntu1.1.gutsy-security.debdiff

Changes:
 syslog-ng (2.0.0-1ubuntu1.1) gutsy-security; urgency=low
 .
   * SECURITY UPDATE: Allows remote attackers to cause a denial of service
      (crash) via a message with a timestamp that does not contain a trailing
      space, which triggers a NULL pointer dereference.
   * src/logmsg.c (log_msg_parse): fixed possible NULL pointer dereference
      in log message parsing, as done in upstream RCS
   * References:
     - http://git.balabit.hu/?p=bazsi/syslog-ng-2.0.git;a=commitdiff;h=3126ebad217e7fd6356f4733ca33f571aa87a170
     - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6437
     - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457334
Files:
 1506917867abfe4f565f1c3a758bfd48 713 admin extra syslog-ng_2.0.0-1ubuntu1.1.dsc
 6ea55c647dcbd3d58a58b8d90f7ea300 346056 admin extra syslog-ng_2.0.0.orig.tar.gz
 aa1cd8d197f63ce1f9ce5fe432615bde 11211 admin extra syslog-ng_2.0.0-1ubuntu1.1.diff.gz

Changed in syslog-ng:
importance: Undecided → High
status: New → Confirmed

Updated debdiff to include lp bug number.

debdiff syslog-ng_2.0.0-1ubuntu1.dsc syslog-ng_2.0.0-1ubuntu1.1.dsc > syslog-ng_2.0.0-1ubuntu1.1.gutsy-security.debdiff

Changes:
 syslog-ng (2.0.0-1ubuntu1.1) gutsy-security; urgency=low
 .
   * SECURITY UPDATE: Allows remote attackers to cause a denial of service
      (crash) via a message with a timestamp that does not contain a trailing
      space, which triggers a NULL pointer dereference.
   * src/logmsg.c (log_msg_parse): fixed possible NULL pointer dereference
      in log message parsing, as done in upstream RCS
   * References:
     - http://git.balabit.hu/?p=bazsi/syslog-ng-2.0.git;a=commitdiff;h=3126ebad217e7fd6356f4733ca33f571aa87a170
     - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6437
     - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457334
   * Closes lp: #183389
Files:
 1f40a0b1b665dc5ed9a29a2c27ea32e1 713 admin extra syslog-ng_2.0.0-1ubuntu1.1.dsc
 6ea55c647dcbd3d58a58b8d90f7ea300 346056 admin extra syslog-ng_2.0.0.orig.tar.gz
 c169408b880f0ce182af2d5b795e82fb 11225 admin extra syslog-ng_2.0.0-1ubuntu1.1.diff.gz

Changed in syslog-ng:
assignee: nobody → cody-somerville
importance: Undecided → High
status: New → In Progress

debdiff syslog-ng_2.0.0-1.dsc syslog-ng_2.0.0-1ubuntu0.1.dsc > syslog-ng_2.0.0-1ubuntu0.1.feisty-security.debdiff

Changes:
 syslog-ng (2.0.0-1ubuntu0.1) feisty-security; urgency=low
 .
   * SECURITY UPDATE: Allows remote attackers to cause a denial of service
       (crash) via a message with a timestamp that does not contain a trailing
       space, which triggers a NULL pointer dereference.
   * src/logmsg.c (log_msg_parse): fixed possible NULL pointer dereference
       in log message parsing, as done in upstream RCS
   * References:
      - http://git.balabit.hu/?p=bazsi/syslog-ng-2.0.git;a=commitdiff;h=3126ebad217e7fd6356f4733ca33f571aa87a170
      - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6437
      - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457334
   * Closes lp: #183389
Files:
 36995d5b529bbdf5fce5a8ffb8ff0a8b 638 admin extra syslog-ng_2.0.0-1ubuntu0.1.dsc
 6ea55c647dcbd3d58a58b8d90f7ea300 346056 admin extra syslog-ng_2.0.0.orig.tar.gz
 9b8e677769ae974f5a48d7aee3e200d1 10687 admin extra syslog-ng_2.0.0-1ubuntu0.1.diff.gz

Changed in syslog-ng:
assignee: cody-somerville → nobody
status: In Progress → Confirmed
Changed in syslog-ng:
assignee: nobody → cody-somerville
importance: Undecided → High
status: New → In Progress

debdiff syslog-ng_1.9.11-1.1.dsc syslog-ng_1.9.11.1.1ubuntu0.1.dsc > syslog-ng_1.9.11.1.1ubuntu0.1.edgy-security.debdiff

Changes:
 syslog-ng (1.9.11-1ubuntu0.1) edgy-security; urgency=low
 .
   * SECURITY UPDATE: Allows remote attackers to cause a denial of service
       (crash) via a message with a timestamp that does not contain a trailing
       space, which triggers a NULL pointer dereference.
   * src/logmsg.c (log_msg_parse): fixed possible NULL pointer dereference
       in log message parsing, as done in upstream RCS
   * References:
      - http://git.balabit.hu/?p=bazsi/syslog-ng-2.0.git;a=commitdiff;h=3126ebad217e7fd6356f4733ca33f571aa87a170
      - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6437
      - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457334
   * Closes lp: #183389
Files:
 6140177483629ca8177480170abe4c1b 640 admin extra syslog-ng_1.9.11-1ubuntu0.1.dsc
 595882ee38767710d5910961633dd01e 314717 admin extra syslog-ng_1.9.11.orig.tar.gz
 31fd0a329219c3d88d5572b15a31f30c 9494 admin extra syslog-ng_1.9.11-1ubuntu0.1.diff.gz

Changed in syslog-ng:
assignee: cody-somerville → nobody
status: In Progress → Confirmed

Updated debdiff to mangle maintainer fields

debdiff syslog-ng_2.0.0-1.dsc syslog-ng_2.0.0-1ubuntu0.1.dsc > syslog-ng_2.0.0-1ubuntu0.1.feisty-security.debdiff

Changes:
 syslog-ng (2.0.0-1ubuntu0.1) feisty-security; urgency=low
 .
   * SECURITY UPDATE: Allows remote attackers to cause a denial of service
       (crash) via a message with a timestamp that does not contain a trailing
       space, which triggers a NULL pointer dereference.
   * src/logmsg.c (log_msg_parse): fixed possible NULL pointer dereference
       in log message parsing, as done in upstream RCS
   * References:
      - http://git.balabit.hu/?p=bazsi/syslog-ng-2.0.git;a=commitdiff;h=3126ebad217e7fd6356f4733ca33f571aa87a170
      - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6437
      - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457334
   * Closes lp: #183389
   * Updated maintainer fields
Files:
 f4cd261152a122f0b9c56279e437fe03 713 admin extra syslog-ng_2.0.0-1ubuntu0.1.dsc
 6ea55c647dcbd3d58a58b8d90f7ea300 346056 admin extra syslog-ng_2.0.0.orig.tar.gz
 4b90b3f68c315a988d4b19130551b2ae 10746 admin extra syslog-ng_2.0.0-1ubuntu0.1.diff.gz

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package syslog-ng - 2.0.0-1ubuntu1.1

---------------
syslog-ng (2.0.0-1ubuntu1.1) gutsy-security; urgency=low

  * SECURITY UPDATE: Allows remote attackers to cause a denial of service
     (crash) via a message with a timestamp that does not contain a trailing
     space, which triggers a NULL pointer dereference.
  * src/logmsg.c (log_msg_parse): fixed possible NULL pointer dereference
     in log message parsing, as done in upstream RCS
  * References:
    - http://git.balabit.hu/?p=bazsi/syslog-ng-2.0.git;a=commitdiff;h=3126ebad217e7fd6356f4733ca33f571aa87a170
    - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6437
    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457334
  * Closes lp: #183389

 -- <email address hidden> (Cody A.W. Somerville) Tue, 15 Jan 2008 20:21:54 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package syslog-ng - 2.0.0-1ubuntu0.1

---------------
syslog-ng (2.0.0-1ubuntu0.1) feisty-security; urgency=low

  * SECURITY UPDATE: Allows remote attackers to cause a denial of service
      (crash) via a message with a timestamp that does not contain a trailing
      space, which triggers a NULL pointer dereference.
  * src/logmsg.c (log_msg_parse): fixed possible NULL pointer dereference
      in log message parsing, as done in upstream RCS
  * References:
     - http://git.balabit.hu/?p=bazsi/syslog-ng-2.0.git;a=commitdiff;h=3126ebad217e7fd6356f4733ca33f571aa87a170
     - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6437
     - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457334
  * Closes lp: #183389
  * Updated maintainer fields

 -- <email address hidden> (Cody A.W. Somerville) Tue, 15 Jan 2008 17:30:40 -0800

Changed in syslog-ng:
status: Confirmed → Fix Released
status: Confirmed → Fix Released
William Grant (wgrant) on 2008-03-23
Changed in syslog-ng:
status: Confirmed → Fix Released
William Grant (wgrant) wrote :

Fixed in Hardy in 2.0.6-1.

Changed in syslog-ng:
status: New → Fix Released
Changed in syslog-ng:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.