severity 644611 important thanks Am 09.10.2011 13:57, schrieb emeric boit: >> De: Michael Biebl <bi...@debian.org> >> Objet: Re: Bug#644611: CVE-2011-3200: Stack-based buffer overflow in the >> parseLegacySyslogMsg function >> À: "emeric boit" <emericb...@yahoo.fr>, 644...@bugs.debian.org >> Date: Vendredi 7 octobre 2011, 18h44 >> Am 07.10.2011 12:55, schrieb emeric >> boit: >>> Package: rsyslog >>> Version: 4.6.4-2 >>> Severity: grave >>> Tags: security >>> >>> CVE description: >>> Stack-based buffer overflow in the >> parseLegacySyslogMsg function in >>> tools/syslogd.c in rsyslogd in rsyslog 4.6.x before >> 4.6.8 and 5.2.0 >>> through 5.8.4 might allow remote attackers to cause a >> denial of service >>> (application exit) via a long TAG in a legacy syslog >> message. >>> >>> Security Bug Tracker : >>> http://security-tracker.debian.org/tracker/CVE-2011-3200 >>> RedHat bug : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3200 >>> Ubuntu Bug : http://www.ubuntu.com/usn/usn-1224-1 >>> >>> I've attached the patch based on Ubuntu and RedHat >> patch. >> >> TTBOMK this only affects rsyslog if it was compiled with >> SSP, which the version >> in squeeze isn't. Have you information that this is not the >> case? >> It also only affects rsyslog if you enable remote logging. >> >> That said, Nico Golde asked me, to handle that via a stable >> upload. >> >> Michael >> -- >> Why is it that all of the instruments seeking intelligent >> life in the >> universe are pointed away from Earth? >> > > It's true with no SSP, no fatal problem seems to occur and the tag character > is usually just truncated. But I think even if SSP isn't in Squeeze by > default the problem must be corrected.
As said, I agreed with Nico that this issue is not grave enough to be handled via a security upload, but will be done via a regular stable release update. Uploads for the next stable release are no longer accepted, so it will have to go into the next one. I also don't think severity grave is justified, so downgrading. Cheers, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
