FreeBSD-SA-96:08:syslog vulnerability
Posted by LinuxSecurity.com Team   
FreeBSD Bounds checking for syslog error messages was not being performed properly.
-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-96:08                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          syslog vulnerability

Category:       core
Module:         libc
Announced:      1996-04-21
Affects:        FreeBSD 2.0 and 2.0.5
Corrected:      1995-10-15 2.2-current and 2.1.0-release sources
Source:         Generic BSD bug
FreeBSD only:   no

Reference:      CERT CA-95:13.syslog.vul

Patches:        ftp://freebsd.org/pub/CERT/patches/SA-96:08/

=============================================================================

I.   Background    

     A problem was found in the syslog(3) library call that affects
     FreeBSD 2.0 and FreeBSD 2.0.5 releases.  This problem was
     fixed prior to the release of FreeBSD 2.1.

     The FreeBSD project is not aware of active exploits of this
     vulnerability.

     All FreeBSD users are encouraged to upgrade to a version of
     FreeBSD with this vulnerability fixed.


II.  Problem Description

     Bounds checking for syslog error messages was not being
     performed properly.


III. Impact

     The problem could be exploited to gain unauthorized access to
     a system running sendmail.


IV. Solution(s)

     Update operating system sources and binaries to FreeBSD 2.1 or
     a later release or apply the patches available at the URL
     listed at the top of this bulletin and re-install the C library.

=============================================================================
FreeBSD, Inc.

Web Site:                       http://www.freebsd.org/
Confidential contacts:          security-officer@freebsd.org
PGP Key:                        ftp://freebsd.org/pub/CERT/public_key.asc
Security notifications:         security-notifications@freebsd.org
Security public discussion:     security@freebsd.org

Notice: Any patches in this document may not apply cleanly due to
        modifications caused by digital signature or mailer software.
        Please reference the URL listed at the top of this document
        for original copies of all patches if necessary.
=============================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMaLAkFUuHi5z0oilAQFxEwP/aKhjlldITj2TRdejyyVTyrbLLc8EG3Ws
e8VLwYYfaciMGf9jihZop2MxdVB/wlIR+iy2i04ULV5TUar3aiq0fmRsIxspT4vt
/HcjtrsYX52rzAqkibTTMLRPn3vU9LES1gBZZDPteA4vk43Yo+brJk/bTuxloQTY
PGw0ifIAHHM=
=KBgt
-----END PGP SIGNATURE-----