FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

syslog-ng2 -- startup directory leakage in the chroot environment

Affected packages
syslog-ng2 < 2.0.9_2
syslog-ng <= 1.6.12_1

Details

VuXML ID 75f2382e-b586-11dd-95f9-00e0815b8da8
Discovery 2008-11-15
Entry 2008-11-18
Modified 2009-07-01

Florian Grandel reports:

I have not had the time to analyze all of syslog-ng code. But by reading the code section near the chroot call and looking at strace results I believe that syslog-ng does not chdir to the chroot jail's location before chrooting into it.

This opens up ways to work around the chroot jail.

References

CVE Name CVE-2008-5110
URL http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791
URL http://www.openwall.com/lists/oss-security/2008/11/17/3