syslog format vulnerability in klogd

Various vulnerabilities exist in syslogd/klogd. By exploiting these
vulnerabilities, it could be possible for local users to gain root
access. No remote exploit exists at this time, but it remains
theoretically possible that this vulnerability could be exploited
remotely under certain rare circumstances.

All users should upgrade to the new sysklogd packages. Users of
Red Hat Linux 6.0 and 6.1 should use the packages for Red Hat
Linux 6.2.

2000-09-26: Noted that packages are now available for Red Hat Linux 7.0,
added instructions on how to restart the daemon after upgrade.

klogd contains instances of the:
syslog( LOG_INFO, buffer );
vulnerability that has been recently been discussed on Bugtraq and similar
mailing lists; by supplying some string that contains '%' escapes, it is
possible to have those escapes interpreted, which can lead to the ability
to gain root access.

Also, there are a couple of minor buffer overflow/termination problems that
could allow local users to crash syslogd and cause bogus messages to be
printed on the local system console.

The updated sysklogd packages fix these vulnerabilities/issues.

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.


[2000-09-26]
For Red Hat Linux 6.2 and earlier, you should run:

/etc/rc.d/init.d/syslog restart

after upgrading to the new package to restart the syslog daemon.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0867
Thanks go to Jouko Pynnonen, Solar Designer, and Daniel Jacobowitz
for discovering the vulnerabilities and providing patches.

syslogd