vulnerabilities in logsurfer

From: Jan Kohlrausch (kohlrauschat_private)
Date: Fri Oct 04 2002 - 10:09:11 PDT

Next message: OpenPKG: "[OpenPKG-SA-2002.009] OpenPKG Security Advisory (apache)"

Previous message: Mike Caudill: "Re: Cisco Secure Content Accelerator vulnerable to SSL worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----


The program "logsurfer" was designed to monitor any text-based
logfiles on systems in realtime. For more informations about
logsurfer we refer to 

	http://www.cert.dfn.de/eng/logsurf/home.html

1. Affected software:

 All logsurfer versions including 1.5a and earlier. 

1. Problem:

Two vulnerabilities exist In logsurfer version 1.5a and earlier:

a) A off-by-one buffer overflow in the heap segment can occur in
   function context_action() in context.c. Dependent on the
   configuration and the memory management of the language runtime
   system this bug can lead to a crash of logsurfer. In detail, only
   configurations are affected which use the "pipe" action. 
   Although it cannot be ruled out that this vulnerability can be used
   to execute arbitrary code, we're not aware of any exploits to this.

b) A buffer used for the temporary storage of config lines is not
   properly initialized in function readcfg(). Dependent on the
   content of this buffer the function readline() incorrectly assumes
   that this is old data. This data is then used as a config line.


2. Solution:

We recommend to upgrade to logsurfer version 1.5b which is available
from the URL:

	ftp://ftp.cert.dfn.de/pub/tools/audit/logsurfer/

In addition, a Patch is available from the URL stated above.

It is strongly recommended to prove the authenticity of the logsurfer
distribution using pgp and/or md5 checksum:

  a) pgp logsurfer-1.5b.tar.asc

  pgp key "Jan Kohlrausch, DFN-CERT <kohlrauschat_private>" is
  required:
 
     KeyID 0xA5DD03D1,
     Key fingerprint =  A2 55 1C 51 0A 30 3E 78  5B 40 DA B7 14 F7 C9 E8

  b) Md5 checksum:
  
	MD5 (logsurfer-1.5b.tar) = ade77bed7bc3c73fd26039e69c4937f4

credits: Jonathan Heusser, Yonekawa Susumu, Gary L. Hennigan, and
         Miron Cuperman for reporting the vulnerability and suplying a
         patch. In addition, we thank Wolfgang Ley for his
         constructive comments.


best regards,
	DFN-CERT

- -- 
DFN-CERT GmbH      |                   mailto:infoat_private
Oberstr. 14b       |                   http://www.cert.dfn.de/
D-20144 Hamburg    |                 Phone: +49(40) 808077 555
Germany            |                   FAX: +49(40) 808077 556



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Processed by Mailcrypt 3.5.5, an Emacs/PGP interface

iQEVAgUBPZ3LF+I9ttyl3QPRAQGz6gf+PkD6rpksdjtGFTxDZH5bH+gbE6f4gCPG
xcvlsbj3E8KFg+0fNgwY55KyGXppupgAFXrEI3iwrjsARZYtpGqd77nf0l+rzq4/
Bmeqor3v+iXYE8+rBYnraaTbCbxURwuODEQIuGvKrhjg06JPCKlIrROVc7Q0ep6d
XBZfKYpFrZGrClUBBD/aZ5gFif64i/Vf1w1qSHn6NqFHbB3ZVSBOXH/SJge3P7Lv
I4tFliXT7XkyYvQO/f5kBf9i7+e8SX9ne74jJY9oOSJcs9HkX7jjyniYfy2VzvzM
L1i/22IoRft2BcT9g5UMzYoOv1N7GkT7dxRky1Ty3A0uLK/cD9KofA==
=/UcX
-----END PGP SIGNATURE-----

Next message: OpenPKG: "[OpenPKG-SA-2002.009] OpenPKG Security Advisory (apache)"
Previous message: Mike Caudill: "Re: Cisco Secure Content Accelerator vulnerable to SSL worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 04 2002 - 14:23:30 PDT