Bug 42 - Incomplete Logging Code
Incomplete Logging Code
Status: RESOLVED WONTFIX
Product: Sudo
Classification: Unclassified
Component: Sudo
1.6.3
All All
: normal normal
Assigned To: Todd C. Miller
http://cert.uni-stuttgart.de/archive/...
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2001-06-15 09:10 MDT by Florian.Weimer
Modified: 2001-06-15 14:12 MDT (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian.Weimer 2001-06-15 09:10:38 MDT
The logging code (in which the buffer overflow was found, which turned out
to be exploitable at least on some platforms) can be tricked into not logging
all information. Please see the attached URL for an analysis of the problem.
Comment 1 Todd C. Miller 2001-06-15 10:12:59 MDT
I don't consider this a problem since even if the long word was passed to syslog() it would get truncated anyway (since syslog has its own line length limits).  Please note that long commands are still logged, it is only long *words* (> ~900 characters) that are truncated.  In normal (non-attack) usage this simply does not occur.