Syslog-ng is a portable syslog implementation. Its highlights include regexp based log selection, TCP transport and more. A security vulnerability in the product allows remote attackers to cause a Denial of Service against it.
Vulnerable systems:
Syslog-ng versions prior to and including 1.4.8
When syslog-ng parses log messages, a variable named "left" is used to store the remaining length of the log message. The priority part in the message should look like this:
<6>
When the line ends without the closing '>' this "left" variable becomes -1 due to a programming bug.
The remaining part of the message parsing routine checks if there's any characters left using the condition: left != 0, since -1 is not 0, this condition evaluates to true.
The newer versions of Syslog-ng (after 1.4.7) filter out the \r and \n characters from log messages, and replace them with spaces to avoid cluttering the log files. Due to a problem in the parsing of log messages, this character change may access inaccessible memory region. This causes a segmentation fault. So sending a "<6", terminated with a new line to one of the input channels causes a SIGSEGV.
Prior to 1.4.7, this character change was not implemented, so mounting a DoS attack is not so trivial, but is still possible.
Impact:
Sending a carefully crafted syslog packet may cause syslog-ng to exit with a Segmentation Fault.
Solution:
Upgrade syslog-ng to 1.4.9, which is a security upgrade, and changes nothing compared to 1.4.8 or apply this patch:
