diff options
-rw-r--r-- | ChangeLog | 8 | ||||
-rw-r--r-- | tools/syslogd.c | 2 |
2 files changed, 6 insertions, 4 deletions
@@ -1,5 +1,6 @@ --------------------------------------------------------------------------- -Version 4.7.5 [v4-beta] (al), 2011-??-?? +Version 4.7.5 [v4-beta] (al), 2011-09-01 +- bugfix/security: off-by-two bug in legacy syslog parser, CVE-2011-3200 - bugfix: potential misadressing in property replacer - bugfix: The NUL-Byte for the syslogtag was not copied in MsgDup (msg.c) --------------------------------------------------------------------------- @@ -79,9 +80,10 @@ Version 4.7.0 [v4-devel] (rgerhards), 2010-04-14 (bugs require certain non-standard settings to appear) Thanks to varmojfekoj for the patch [imported from 4.5.8] --------------------------------------------------------------------------- -Version 4.6.8 [v4-stable] (rgerhards), 2011-??-?? +Version 4.6.8 [v4-stable] (rgerhards), 2011-09-01 +- bugfix/security: off-by-two bug in legacy syslog parser, CVE-2011-3200 - bugfix: potential misadressing in property replacer -- bugfix: memcpy overflow can occur in allowed sender checkig +- bugfix: memcpy overflow can occur in allowed sender checking if a name is resolved to IPv4-mapped-on-IPv6 address Found by Ismail Dönmez at suse - bugfix: The NUL-Byte for the syslogtag was not copied in MsgDup (msg.c) diff --git a/tools/syslogd.c b/tools/syslogd.c index 058d75d8..f66cbee3 100644 --- a/tools/syslogd.c +++ b/tools/syslogd.c @@ -1294,7 +1294,7 @@ int parseLegacySyslogMsg(msg_t *pMsg, int flags) * outputs so that only 32 characters max are used by default. */ i = 0; - while(lenMsg > 0 && *p2parse != ':' && *p2parse != ' ' && i < CONF_TAG_MAXSIZE) { + while(lenMsg > 0 && *p2parse != ':' && *p2parse != ' ' && i < CONF_TAG_MAXSIZE - 2) { bufParseTAG[i++] = *p2parse++; --lenMsg; } |