Bugzilla – Bug 828140
VUL-0: CVE-2013-4758: rsyslog: omelasticsearch plugin - Double Free Memory Corruption
Last modified: 2014-07-08 09:23:52 UTC
reported by author http://www.lsexperts.de/advisories/lse-2013-07-03.txt === LSE Leading Security Experts GmbH - Security Advisory 2013-07-03 === rsyslog omelasticsearch plugin - Double Free Memory Corruption - -------------------------------------------------------------- Affected Version ================ rsyslog omelasticsearch plugin < 7.5.2 devel and < 7.4.2 stable Problem Overview ================ Technical Risk: high Likelihood of Exploitation: low Vendor: Adiscon GmbH, Nathan Scott, Rainer Gerhards Credits: LSE Leading Security Experts GmbH employee Markus Vervier and Marius Ionescu Advisory URL: http://www.lsexperts.de/advisories/lse-2013-07-03.txt Advisory Status: Private CVE-Number: Not assigned yet Problem Impact ============== A double free memory corruption exists in the Elastic Search plugin of rsyslog. This could allow a remote attacker to crash rsyslog and possibly execute code if he can manipulate JSON responses from Elastic Search. Problem Description =================== A double free memory corruption exists in all implementations of the rsyslog omelasticsearch plugin up to 7.4.1 stable and 7.5.1 devel. The variable rendered in function writeDataError of omelasticsearch.c is freed twice. This allows heap corruption and possible code execution if an attacker is able to control memory between subsequent calls to free. Temporary Workaround and Fix ============================ It is advised to update to version 7.4.2 stable or 7.5.2 of rsyslog as soon as possible. The following patch provides a workaround for version 7.5.1: <--> - --- plugins/omelasticsearch/omelasticsearch.c.orig 2013-07-03 16:53:49.000000000 +0200 +++ plugins/omelasticsearch/omelasticsearch.c 2013-07-03 16:53:52.000000000 +0200 @@ -484,6 +484,7 @@ writeDataError(instanceData *pData, cJSO errno, (long long) wrRet); } free(rendered); + rendered = NULL; cJSON_Delete(errRoot); *pReplyRoot = NULL; /* tell caller not to delete once again! */ <--> History ======= 2013-06-27 Problem discovery during code review at customer 2013-07-03 Original vendor contacted 2013-07-03 Vulnerability confirmed by vendor 2013-07-03 Fix Released
official patch: http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=80f88242982c9c6ad6ce8628fc5b94ea74051cf4
http://bugzilla.adiscon.com/show_bug.cgi?id=461
"if he can manipulate JSON responses from Elastic Search." seems an awful unlikely scenario
From: Rainer Gerhards <rgerhards@hq.adiscon.com> You may want to update your advisory that versions 7.3.1 (devel) and below and 7.2.8 (stable) and below are not affected. The code in question was introduced in 7.3.2 and subsequently merged to 7.4.0 stable. -> openSUSE Factory is affected, rest is too old (cross checkeing SLE11 SP3 and 12.3)
From: Rainer Gerhards <rgerhards@hq.adiscon.com> we got assigned CVE-2013-4758 and updated the Advisory at http://www.lsexperts.de/advisories/lse-2013-07-03.txt accordingly.
bugbot adjusting priority
Fixed updating 7.4.1 to 7.4.2 in openSUSE:Factory, request #182284: - Update to 7.4.2 [v7.4-stable] (bnc#828140,CVE-2013-4758): - bugfix: in RFC5425 TLS, multiple wildcards in auth could cause segfault - bugfix: RainerScript object required parameters were not properly checked - this clould result to segfaults on startup if parameters were missing. - bugfix: double-free in omelasticsearch closes: http://bugzilla.adiscon.com/show_bug.cgi?id=461 a security advisory for this bug is available at: http://www.lsexperts.de/advisories/lse-2013-07-03.txt PLEASE NOTE: This issue only existed if omelasticsearch was used in a non-default configuration, where the "errorfile" parameter was specified. Without that parameter set, the bug could not be triggered. Thanks to Markus Vervier and Marius Ionescu for providing a detailled bug report. Special thanks to Markus for coordinating his security advisory with us. - bugfix: omrelp potential segfault at startup on invalid config parameters - bugfix: small memory leak when $uptime property was used - bugfix: potential segfault on rsyslog termination in imudp closes: http://bugzilla.adiscon.com/show_bug.cgi?id=456 - bugfix: lmsig_gt abort on invalid configuration parameters closes: http://bugzilla.adiscon.com/show_bug.cgi?id=448 Thanks to Risto Laanoja for the patch. - imtcp: fix typo in "listner" parameter, which is "listener" Currently, both names are accepted. - solved build problems on FreeBSD closes: http://bugzilla.adiscon.com/show_bug.cgi?id=457 closes: http://bugzilla.adiscon.com/show_bug.cgi?id=458 Thanks to Christiano for reproting and suggesting patches - solved build problems on CENTOS5 Other openSUSE versions are not affected (using <= 7.2.x version, see also comment #4).
done
This is an autogenerated message for OBS integration: This bug (828140) was mentioned in https://build.opensuse.org/request/show/182284 Factory / rsyslog