{"vuid":"VU#249579","idnumber":"249579","name":"klogd does not adequately handle NULL byte when parsing text using LogLine( )","keywords":["klogd","null byte","LogLine( )","parsing text","infinite loop","copyin( )","VU#249579"],"overview":"There is a denial-of-service vulnerability in certain distributions of the Linux kernel logging daemon (klogd) which could allow an attacker to cause klogd to hang.","clean_desc":"The Linux kernel logging daemon (klogd) can be forced to hang if it receives a null byte in a log message from the Linux kernel. Please see the following bug report for more information: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=85478","impact":"This vulnerability causes klogd to go into an infinite loop, thus preventing further kernel log messages from being written to disk.","resolution":"Upgrade to latest version of klogd for your Linux distribution.","workarounds":"The following workaround is taken from http://bugs.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=85478: The patch below contains a possible fix for this, by treating a null byte as a delimiter, equivalent to \\n. Additionally, the patch prevents LogLine from being invoked with a negative counter as an argument. diff -u sysklogd-1.3.orig/klogd.c sysklogd-1.3/klogd.c\n--- sysklogd-1.3.orig/klogd.c\t\t Sat Feb 10 13:04:06 2001\n+++ sysklogd-1.3/klogd.c\t\t Sat Feb 10 12:58:11 2001\n@@ -707,7 +707,7 @@\n \t\t \t\t   break; /* full line_buff or end of input buffer */ -               if( *ptr == '\\n' )  /* newline */\n+               if( *ptr == '\\n' || *ptr == '\\0')  /* newline or null terminator */ ptr++; /* skip newline */\n                   space -= 1; @@ -877,8 +877,10 @@\n \t\t \t\t fprintf(stderr, \"klogd: Error return from sys_sycall: \" \\\n \t\t \t\t \t\t \"%d - %s\\n\", errno, strerror(errno)); -\t\t LogLine(log_buffer, rdcnt); +\t\t else\n+        \t\t LogLine(log_buffer, rdcnt); return; @@ -902,8 +904,8 @@\n \t\t \t\t Syslog(LOG_ERR, \"Cannot read proc file system: %d - %s.\", \\\n \t\t \t\t        errno, strerror(errno)); -\t\t LogLine(log_buffer, rdcnt); +        else\n+    \t\t \t\t LogLine(log_buffer, rdcnt); return;","sysaffected":"","thanks":"This vulnerability was discovered by Thomas Roessler <roessler@does-not-exist.org> and was reported to the \nbugs.debian.org mailing list\n on February 10, 2001.","author":"This document was written by Ian A. Finlay","public":["http://bugs.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=85478","http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-026-01"],"cveids":["CVE-2001-0738"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2001-06-15T12:50:14Z","publicdate":"2001-02-10T00:00:00Z","datefirstpublished":"2001-07-24T12:54:41Z","dateupdated":"2003-04-09T19:19:45Z","revision":51,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"10","cam_impact":"3","cam_easeofexploitation":"13","cam_attackeraccessrequired":"10","cam_scorecurrent":"1.828125","cam_scorecurrentwidelyknown":"1.828125","cam_scorecurrentwidelyknownexploited":"3.290625","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":1.828125,"vulnote":null}