----- Forwarded by Edward J Sargisson/NZ/MCS/PwC on 07/10/2002 08:34 -----
Jan Kohlrausch
<kohlrausch@cert. To: bugtraqat_private
dfn.de> cc:
Subject: vulnerabilities in logsurfer
05/10/2002 05:09
Please respond to
Jan Kohlrausch
-----BEGIN PGP SIGNED MESSAGE-----
The program "logsurfer" was designed to monitor any text-based
logfiles on systems in realtime. For more informations about
logsurfer we refer to
http://www.cert.dfn.de/eng/logsurf/home.html
1. Affected software:
All logsurfer versions including 1.5a and earlier.
1. Problem:
Two vulnerabilities exist In logsurfer version 1.5a and earlier:
a) A off-by-one buffer overflow in the heap segment can occur in
function context_action() in context.c. Dependent on the
configuration and the memory management of the language runtime
system this bug can lead to a crash of logsurfer. In detail, only
configurations are affected which use the "pipe" action.
Although it cannot be ruled out that this vulnerability can be used
to execute arbitrary code, we're not aware of any exploits to this.
b) A buffer used for the temporary storage of config lines is not
properly initialized in function readcfg(). Dependent on the
content of this buffer the function readline() incorrectly assumes
that this is old data. This data is then used as a config line.
2. Solution:
We recommend to upgrade to logsurfer version 1.5b which is available
from the URL:
ftp://ftp.cert.dfn.de/pub/tools/audit/logsurfer/
In addition, a Patch is available from the URL stated above.
It is strongly recommended to prove the authenticity of the logsurfer
distribution using pgp and/or md5 checksum:
a) pgp logsurfer-1.5b.tar.asc
pgp key "Jan Kohlrausch, DFN-CERT <kohlrauschat_private>" is
required:
KeyID 0xA5DD03D1,
Key fingerprint = A2 55 1C 51 0A 30 3E 78 5B 40 DA B7 14 F7 C9 E8
b) Md5 checksum:
MD5 (logsurfer-1.5b.tar) = ade77bed7bc3c73fd26039e69c4937f4
credits: Jonathan Heusser, Yonekawa Susumu, Gary L. Hennigan, and
Miron Cuperman for reporting the vulnerability and suplying a
patch. In addition, we thank Wolfgang Ley for his
constructive comments.
best regards,
DFN-CERT
- --
DFN-CERT GmbH | mailto:infoat_private
Oberstr. 14b | http://www.cert.dfn.de/
D-20144 Hamburg | Phone: +49(40) 808077 555
Germany | FAX: +49(40) 808077 556
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Processed by Mailcrypt 3.5.5, an Emacs/PGP interface
iQEVAgUBPZ3LF+I9ttyl3QPRAQGz6gf+PkD6rpksdjtGFTxDZH5bH+gbE6f4gCPG
xcvlsbj3E8KFg+0fNgwY55KyGXppupgAFXrEI3iwrjsARZYtpGqd77nf0l+rzq4/
Bmeqor3v+iXYE8+rBYnraaTbCbxURwuODEQIuGvKrhjg06JPCKlIrROVc7Q0ep6d
XBZfKYpFrZGrClUBBD/aZ5gFif64i/Vf1w1qSHn6NqFHbB3ZVSBOXH/SJge3P7Lv
I4tFliXT7XkyYvQO/f5kBf9i7+e8SX9ne74jJY9oOSJcs9HkX7jjyniYfy2VzvzM
L1i/22IoRft2BcT9g5UMzYoOv1N7GkT7dxRky1Ty3A0uLK/cD9KofA==
=/UcX
-----END PGP SIGNATURE-----
_________________________________________________________________
PLEASE NOTE THAT IBM recently completed its acquisition of
PricewaterhouseCoopers' global management consulting and information
technology services business, PwC Consulting. As a result, PwC Consulting
is no longer a part of the PricewaterhouseCoopers network of firms, and is
now a part of the IBM Global Services business unit. IBM (including IBM
Global Services) and PricewaterhouseCoopers are not the same organisation,
and neither governs or is affiliated with the other, or any affiliate,
subsidiary or division of the other.
PLEASE ALSO NOTE THAT as a result of this acquisition by IBM, the
individual sending this note is an IBM employee and is no longer employed
by or represents PricewaterhouseCoopers.
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Sun Oct 06 2002 - 17:19:02 PDT