RHEL 8.9 ERRATUM

Fix wrong type conversion in cstrLen() resolves: rhbz#2157804 imjournal: by default retrieves _PID from journal as PID number resolves: rhbz#2176398 Systemd service file hardening resolves: rhbz#2176404
2023-05-09 09:34:49 +02:00 · 2023-05-09 09:34:49 +02:00 · 4d9421aa33
commit 4d9421aa33
parent 3669471298
4 changed files with 96 additions and 1 deletions
--- a/rsyslog-8.2102.0-rhbz2157804-cstrlen.patch
+++ b/rsyslog-8.2102.0-rhbz2157804-cstrlen.patch
@ -0,0 +1,72 @@
+diff -up rsyslog-8.2102.0/parse.h.orig rsyslog-8.2102.0/parse.h
+--- rsyslog-8.2102.0/parse.h.orig	2023-05-09 09:10:09.236597063 +0200
+++ rsyslog-8.2102.0/parse.h	2023-05-09 09:10:26.913608034 +0200
+@@ -56,7 +56,7 @@ struct rsParsObject
+ 	rsObjID OID;			/**< object ID */
+ #endif
+ 	cstr_t *pCStr;		/**< pointer to the string object we are parsing */
+-	int iCurrPos;			/**< current parsing position (char offset) */
+	size_t iCurrPos;			/**< current parsing position (char offset) */
+ };
+ typedef struct rsParsObject rsParsObj;
+ 
+diff -up rsyslog-8.2102.0/runtime/stream.c.orig rsyslog-8.2102.0/runtime/stream.c
+--- rsyslog-8.2102.0/runtime/stream.c.orig	2023-05-09 09:10:34.122612508 +0200
+++ rsyslog-8.2102.0/runtime/stream.c	2023-05-09 09:12:47.934640583 +0200
+@@ -1071,7 +1071,7 @@ strmReadMultiLine(strm_t *pThis, cstr_t
+ 	cstr_t *thisLine = NULL;
+ 	rsRetVal readCharRet;
+ 	const time_t tCurr = pThis->readTimeout ? getTime(NULL) : 0;
+-	int maxMsgSize = glblGetMaxLine();
+	size_t maxMsgSize = glblGetMaxLine();
+ 	DEFiRet;
+ 
+ 	do {
+@@ -1132,9 +1132,9 @@ strmReadMultiLine(strm_t *pThis, cstr_t
+ 					}
+ 
+ 
+-					int currLineLen = cstrLen(thisLine);
+					size_t currLineLen = cstrLen(thisLine);
+ 					if(currLineLen > 0) {
+-						int len;
+						size_t len;
+ 						if((len = cstrLen(pThis->prevMsgSegment) + currLineLen) <
+ 						maxMsgSize) {
+ 							CHKiRet(cstrAppendCStr(pThis->prevMsgSegment, thisLine));
+@@ -1144,7 +1144,7 @@ strmReadMultiLine(strm_t *pThis, cstr_t
+ 								len = 0;
+ 							} else {
+ 								len = currLineLen-(len-maxMsgSize);
+-								for(int z=0; z<len; z++) {
+								for(size_t z=0; z<len; z++) {
+ 									cstrAppendChar(pThis->prevMsgSegment,
+ 										thisLine->pBuf[z]);
+ 								}
+diff -up rsyslog-8.2102.0/runtime/stringbuf.c.orig rsyslog-8.2102.0/runtime/stringbuf.c
+--- rsyslog-8.2102.0/runtime/stringbuf.c.orig	2023-05-09 09:09:37.627577446 +0200
+++ rsyslog-8.2102.0/runtime/stringbuf.c	2023-05-09 09:09:59.061590749 +0200
+@@ -474,7 +474,7 @@ finalize_it:
+  * This is due to performance reasons.
+  */
+ #ifndef NDEBUG
+-int cstrLen(cstr_t *pThis)
+size_t cstrLen(cstr_t *pThis)
+ {
+ 	rsCHECKVALIDOBJECT(pThis, OIDrsCStr);
+ 	return(pThis->iStrLen);
+diff -up rsyslog-8.2102.0/runtime/stringbuf.h.orig rsyslog-8.2102.0/runtime/stringbuf.h
+--- rsyslog-8.2102.0/runtime/stringbuf.h.orig	2023-05-09 09:08:05.199520082 +0200
+++ rsyslog-8.2102.0/runtime/stringbuf.h	2023-05-09 09:09:26.924570803 +0200
+@@ -144,9 +144,9 @@ rsRetVal cstrAppendCStr(cstr_t *pThis, c
+ 
+ /* now come inline-like functions */
+ #ifdef NDEBUG
+-#	define cstrLen(x) ((int)((x)->iStrLen))
+#	define cstrLen(x) ((size_t)((x)->iStrLen))
+ #else
+-	int cstrLen(cstr_t *pThis);
+	size_t cstrLen(cstr_t *pThis);
+ #endif
+ #define rsCStrLen(s) cstrLen((s))
+ 
--- a/rsyslog.conf
+++ b/rsyslog.conf
@ -10,6 +10,7 @@ module(load="imuxsock" 	  # provides support for local system logging (e.g. via
       SysSock.Use="off") # Turn off message reception via local log socket; 
 			  # local messages are retrieved through imjournal now.
 module(load="imjournal" 	    # provides access to the systemd journal
+       UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from
       StateFile="imjournal.state") # File to store the position in the journal
 #module(load="imklog") # reads kernel messages (the same are read from journald)
 #module(load="immark") # provides --MARK-- message capability
--- a/rsyslog.service
+++ b/rsyslog.service
@ -13,6 +13,18 @@ ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS
 UMask=0066
 StandardOutput=null
 Restart=on-failure
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=net
+NoNewPrivileges=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @raw-io @reboot @swap @cpu-emulation @obsolete
+LockPersonality=yes
+MemoryDenyWriteExecute=yes

 # Increase the default a bit in order to allow many simultaneous
 # files to be monitored, we might need a lot of fds.
--- a/rsyslog.spec
+++ b/rsyslog.spec
@ -6,7 +6,7 @@
 Summary: Enhanced system logging and kernel message trapping daemon
 Name: rsyslog
 Version: 8.2102.0
-Release: 13%{?dist}
+Release: 14%{?dist}
 License: (GPLv3+ and ASL 2.0)
 Group: System Environment/Daemons
 ExcludeArch: i686
@ -67,6 +67,7 @@ Patch15: rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch
 Patch16: rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch
 Patch17: rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch
 Patch18: rsyslog-8.2102.0-rhbz2157658-imklog.patch
+Patch19: rsyslog-8.2102.0-rhbz2157804-cstrlen.patch

 %package crypto
 Summary: Encryption support
@ -310,6 +311,7 @@ mv build doc
 %patch16 -p1 -b .extra-ca-files
 %patch17 -p1 -b .extra-ca-files-doc
 %patch18 -p1 -b .imklog-heap
+%patch19 -p1 -b .cstrlen

 %build
 %ifarch sparc64
@ -554,6 +556,14 @@ done
 %{_libdir}/rsyslog/omudpspoof.so

 %changelog
+* Tue May 09 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-14
+- Fix wrong type conversion in cstrLen()
+  resolves: rhbz#2157804
+- imjournal: by default retrieves _PID from journal as PID number
+  resolves: rhbz#2176398
+- Systemd service file hardening
+  resolves: rhbz#2176404
+
 * Mon Jan 09 2023 Attila Lakatos <alaktos@redhat.com> - 8.2102.0-13
 - Make rsyslog-relp require librelp>= 1.9.0
  resolves: rhbz#2029352