From 5e71b41f7601965333a6c6ea887a4ba4125dfa90 Mon Sep 17 00:00:00 2001
From: alakatos <alakatos@redhat.com>
Date: Tue, 10 May 2022 21:24:40 +0200
Subject: [PATCH] Address CVE-2022-24903, Heap-based overflow in TCP syslog
 server   resolves: rhbz#2081403

---
 ...og-8.37.0-rhbz2081396-CVE-2022-24903.patch | 30 +++++++++++++++++++
 rsyslog.spec                                  |  8 ++++-
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch

diff --git a/rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch b/rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch
new file mode 100644
index 0000000..e3b1453
--- /dev/null
+++ b/rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch
@@ -0,0 +1,30 @@
+diff -up rsyslog-8.37.0/plugins/imptcp/imptcp.c.orig rsyslog-8.37.0/plugins/imptcp/imptcp.c
+--- rsyslog-8.37.0/plugins/imptcp/imptcp.c.orig	2022-05-09 12:22:59.050623119 +0200
++++ rsyslog-8.37.0/plugins/imptcp/imptcp.c	2022-05-09 12:34:39.979854853 +0200
+@@ -1032,7 +1032,10 @@ processDataRcvd(ptcpsess_t *const __rest
+ 			if(pThis->iOctetsRemain <= 200000000) {
+ 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ 			}
+-			*(pThis->pMsg + pThis->iMsg++) = c;
++			// *(pThis->pMsg + pThis->iMsg++) = c;
++			if(pThis->iMsg < iMaxLine) {
++				*(pThis->pMsg + pThis->iMsg++) = c;
++			}
+ 		} else { /* done with the octet count, so this must be the SP terminator */
+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ 			prop.GetString(pThis->peerName, &propPeerName, &lenPeerName);
+diff -up rsyslog-8.37.0/runtime/tcps_sess.c.orig rsyslog-8.37.0/runtime/tcps_sess.c
+--- rsyslog-8.37.0/runtime/tcps_sess.c.orig	2022-05-09 12:23:12.789627661 +0200
++++ rsyslog-8.37.0/runtime/tcps_sess.c	2022-05-09 12:36:51.426898549 +0200
+@@ -389,7 +389,10 @@ processDataRcvd(tcps_sess_t *pThis,
+ 			if(pThis->iOctetsRemain <= 200000000) {
+ 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ 			}
+-			*(pThis->pMsg + pThis->iMsg++) = c;
++			// *(pThis->pMsg + pThis->iMsg++) = c;
++			if(pThis->iMsg < iMaxLine) {
++				*(pThis->pMsg + pThis->iMsg++) = c;
++			}
+ 		} else { /* done with the octet count, so this must be the SP terminator */
+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ 			prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName);
diff --git a/rsyslog.spec b/rsyslog.spec
index 60ea5d6..d5988f2 100644
--- a/rsyslog.spec
+++ b/rsyslog.spec
@@ -5,7 +5,7 @@
 Summary: Enhanced system logging and kernel message trapping daemon
 Name: rsyslog
 Version: 8.2102.0
-Release: 104%{?dist}
+Release: 105%{?dist}
 License: (GPLv3+ and ASL 2.0)
 URL: http://www.rsyslog.com/
 Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
@@ -31,6 +31,7 @@ Patch9:  openssl3-compatibility.patch
 Patch10: rsyslog-8.2102.0-rhbz1909639-statefiles-fix.patch
 Patch11: rsyslog-8.2102.0-rhbz1909639-statefiles-doc.patch
 Patch12: rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch
+Patch13: rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch
 
 BuildRequires: make
 BuildRequires: gcc
@@ -275,6 +276,7 @@ mv build doc
 %patch10 -p1 -b .statefile-fix
 %patch11 -p1
 %patch12 -p1 -b .gnutls-broken-connection
+%patch13 -p1 -b .CVE
 
 pushd ..
 %patch9 -p1 -b .openssl-compatibility
@@ -539,6 +541,10 @@ done
 
 
 %changelog
+* Mon May 09 2022 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-105
+- Address CVE-2022-24903, Heap-based overflow in TCP syslog server
+  resolves: rhbz#2081403
+
 * Tue Apr 19 2022 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-104
 - Do not save patched doc files
   resolves: rhbz#2069664