rebase to 8.2210.0

resolves: rhbz#2097173
  Drop capabilities to the necessary set via libcap-ng
  resolves: rhbz#2127403

.gitignore

@@ -83,3 +83,5 @@ rsyslog-4.6.3.tar.gz
 /qpid-proton-0.34.0.tar.gz
 /rsyslog-8.2204.0.tar.gz
 /rsyslog-doc-8.2204.0.tar.gz
+/rsyslog-8.2210.0.tar.gz
+/rsyslog-doc-8.2210.0.tar.gz

rsyslog-8.2204.0-rhbz2082302-CVE-heap-based-buffer-overflow.patch

@@ -1,45 +0,0 @@
-diff --git a/contrib/imhttp/imhttp.c b/contrib/imhttp/imhttp.c
-index f09260b586..95704af985 100644
---- a/contrib/imhttp/imhttp.c
-+++ b/contrib/imhttp/imhttp.c
-@@ -487,7 +487,9 @@ processOctetMsgLen(const instanceConf_t *const inst, struct conn_wrkr_s *connWrk
- 				connWrkr->parseState.iOctetsRemain = connWrkr->parseState.iOctetsRemain * 10 + ch - '0';
- 			}
- 			// temporarily save this character into the message buffer
--			connWrkr->pMsg[connWrkr->iMsg++] = ch;
-+			if(connWrkr->iMsg + 1 < s_iMaxLine) {
-+				connWrkr->pMsg[connWrkr->iMsg++] = ch;
-+			}
- 		} else {
- 			const char *remoteAddr = "";
- 			if (connWrkr->propRemoteAddr) {
-diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c
-index 2df46a236c..c32dec5851 100644
---- a/plugins/imptcp/imptcp.c
-+++ b/plugins/imptcp/imptcp.c
-@@ -1107,7 +1107,9 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,
- 			if(pThis->iOctetsRemain <= 200000000) {
- 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
- 			}
--			*(pThis->pMsg + pThis->iMsg++) = c;
-+			if(pThis->iMsg < iMaxLine) {
-+				*(pThis->pMsg + pThis->iMsg++) = c;
-+			}
- 		} else { /* done with the octet count, so this must be the SP terminator */
- 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
- 			prop.GetString(pThis->peerName, &propPeerName, &lenPeerName);
-diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c
-index 0efa2c23c4..c5442f7638 100644
---- a/runtime/tcps_sess.c
-+++ b/runtime/tcps_sess.c
-@@ -390,7 +390,9 @@ processDataRcvd(tcps_sess_t *pThis,
- 			if(pThis->iOctetsRemain <= 200000000) {
- 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
- 			}
--			*(pThis->pMsg + pThis->iMsg++) = c;
-+			if(pThis->iMsg < iMaxLine) {
-+				*(pThis->pMsg + pThis->iMsg++) = c;
-+			}
- 		} else { /* done with the octet count, so this must be the SP terminator */
- 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
- 			prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName);

rsyslog-8.2210.0-rhbz2127403-drop-capabilities.patch

@@ -0,0 +1,258 @@
+From e9f85312630eb25d0985e911475803bd06f4173e Mon Sep 17 00:00:00 2001
+From: alakatos <alakatos@redhat.com>
+Date: Thu, 13 Oct 2022 10:41:38 +0200
+Subject: [PATCH 1/2] Introduce --enable-libcap-ng configure option
+
+The option allows to drop the capabilities to only
+the necessary set, to minimize security exposure in
+case there was ever a mistake in a networking
+plugin or some other input resource. Resolves #4986
+---
+ configure.ac      | 24 ++++++++++++++++++++++++
+ runtime/debug.c   |  4 ++--
+ runtime/modules.c |  6 +++---
+ runtime/rsyslog.h |  1 +
+ tools/rsyslogd.c  | 42 ++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 72 insertions(+), 5 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 9f73a708d0..958c26245e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -377,6 +377,28 @@ AC_ARG_ENABLE(fmhash,
+ 	[enable_fmhash=yes]
+ )
+ 
++AC_ARG_ENABLE(libcap-ng,
++        [AS_HELP_STRING([--enable-libcap-ng],[Enable dropping capabilities to only the necessary set @<:@default=no@:>@])],
++        [case "${enableval}" in
++         yes) enable_libcapng="yes" ;;
++          no) enable_libcapng="no" ;;
++           *) AC_MSG_ERROR(bad value ${enableval} for --enable_libcapng) ;;
++         esac],
++        [enable_libcapng=no]
++)
++
++if test "$enable_libcapng" = "yes"; then
++        PKG_CHECK_MODULES(
++                [LIBCAPNG],
++                [libcap-ng >= 0.8.2],
++                [AC_DEFINE([ENABLE_LIBCAPNG], [1], [Indicator that libcap-ng is present])],
++                [AC_MSG_ERROR(libcap-ng is not present.)]
++        )
++        CFLAGS="$CFLAGS $LIBCAPNG_CFLAGS"
++        LIBS="$LIBS $LIBCAPNG_LIBS"
++fi
++
++
+ AC_ARG_ENABLE(fmhash-xxhash,
+ 	[AS_HELP_STRING([--enable-fmhash-xxhash],[Enable xxhash in fmhash support @<:@default=no@:>@])],
+         [case "${enableval}" in
+@@ -2820,6 +2842,8 @@ echo "    liblogging-stdlog support enabled:        $enable_liblogging_stdlog"
+ echo "    libsystemd enabled:                       $enable_libsystemd"
+ echo "    kafka static linking enabled:             $enable_kafka_static"
+ echo "    atomic operations enabled:                $enable_atomic_operations"
++echo "    libcap-ng support enabled:                $enable_libcapng"
++
+ echo
+ echo "---{ input plugins }---"
+ if test "$unamestr" != "AIX"; then
+diff --git a/runtime/debug.c b/runtime/debug.c
+index a655bc2e4e..6e6c9fd38f 100644
+--- a/runtime/debug.c
++++ b/runtime/debug.c
+@@ -250,7 +250,7 @@ r_dbgoprint( const char *srcname, obj_t *pObj, const char *fmt, ...)
+ 
+ 	if(!(Debug && debugging_on))
+ 		return;
+-	
++
+ 	if(!checkDbgFile(srcname)) {
+ 		return;
+ 	}
+@@ -435,7 +435,7 @@ rsRetVal dbgClassInit(void)
+ {
+ 	rsRetVal iRet;	/* do not use DEFiRet, as this makes calls into the debug system! */
+ 
+-	
++
+ 	(void) pthread_key_create(&keyThrdName, dbgThrdNameDestruct);
+ 
+ 	/* while we try not to use any of the real rsyslog code (to avoid infinite loops), we
+diff --git a/runtime/modules.c b/runtime/modules.c
+index 810b2e9b52..b39bd9f066 100644
+--- a/runtime/modules.c
++++ b/runtime/modules.c
+@@ -595,7 +595,7 @@ doModInit(pModInit_t modInit, uchar *name, void *pModHdlr, modInfo_t **pNewModul
+ 	CHKiRet((*pNew->modQueryEtryPt)((uchar*)"getKeepType", &modGetKeepType));
+ 	CHKiRet((*modGetKeepType)(&pNew->eKeepType));
+ 	dbgprintf("module %s of type %d being loaded (keepType=%d).\n", name, pNew->eType, pNew->eKeepType);
+-	
++
+ 	/* OK, we know we can successfully work with the module. So we now fill the
+ 	 * rest of the data elements. First we load the interfaces common to all
+ 	 * module types.
+@@ -1242,7 +1242,7 @@ Load(uchar *const pModName, const sbool bConfLoad, struct nvlst *const lst)
+ 		}
+ 
+ 		iLoadCnt++;
+-	
++
+ 	} while(pModHdlr == NULL && *pModName != '/' && pModDirNext);
+ 
+ 	if(load_err_msg != NULL) {
+@@ -1323,7 +1323,7 @@ modulesProcessCnf(struct cnfobj *o)
+ 
+ 	cnfModName = (uchar*)es_str2cstr(pvals[typeIdx].val.d.estr, NULL);
+ 	iRet = Load(cnfModName, 1, o->nvlst);
+-	
++
+ finalize_it:
+ 	free(cnfModName);
+ 	cnfparamvalsDestruct(pvals, &pblk);
+diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h
+index 908e5e7b73..01616d8f7d 100644
+--- a/runtime/rsyslog.h
++++ b/runtime/rsyslog.h
+@@ -604,6 +604,7 @@ enum rsRetVal_				/** return value. All methods return this if not specified oth
+ 	RS_RET_REDIS_ERROR = -2452, /**< redis-specific error. See message foe details. */
+ 	RS_RET_REDIS_AUTH_FAILED = -2453, /**< redis authentication failure */
+ 	RS_RET_FAUP_INIT_OPTIONS_FAILED = -2454, /**< could not initialize faup options */
++	RS_RET_LIBCAPNG_ERR = -2455, /**< error during dropping the capabilities */
+ 
+ 	/* RainerScript error messages (range 1000.. 1999) */
+ 	RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */
+diff --git a/tools/rsyslogd.c b/tools/rsyslogd.c
+index 31b91a1bd1..c209e1bcdd 100644
+--- a/tools/rsyslogd.c
++++ b/tools/rsyslogd.c
+@@ -37,6 +37,9 @@
+ #ifdef HAVE_LIBSYSTEMD
+ #	include <systemd/sd-daemon.h>
+ #endif
++#ifdef ENABLE_LIBCAPNG
++	#include <cap-ng.h>
++#endif
+ 
+ #include "rsyslog.h"
+ #include "wti.h"
+@@ -2167,6 +2170,45 @@ main(int argc, char **argv)
+ 	fjson_global_do_case_sensitive_comparison(0);
+ 
+ 	dbgClassInit();
++
++#ifdef ENABLE_LIBCAPNG
++	/*
++	 * Drop capabilities to the necessary set
++	 */
++	int capng_rc;
++	capng_clear(CAPNG_SELECT_BOTH);
++
++	if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
++		CAP_BLOCK_SUSPEND,
++		CAP_CHOWN,
++		CAP_IPC_LOCK,
++		CAP_LEASE,
++		CAP_NET_ADMIN,
++		CAP_NET_BIND_SERVICE,
++		CAP_PERFMON,
++		CAP_SETGID,
++		CAP_SETUID,
++		CAP_SYS_ADMIN,
++		CAP_SYS_CHROOT,
++		CAP_SYS_RESOURCE,
++		CAP_SYSLOG,
++		-1
++	)) != 0) {
++		LogError(0, RS_RET_LIBCAPNG_ERR,
++				"could not update the internal posix capabilities settings "
++				"based on the options passed to it, capng_updatev=%d\n", capng_rc);
++		exit(-1);
++	}
++
++	if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
++		LogError(0, RS_RET_LIBCAPNG_ERR,
++			"could not transfer  the  specified  internal posix  capabilities "
++			"settings to the kernel, capng_apply=%d\n", capng_rc);
++		exit(-1);
++	}
++	DBGPRINTF("Capabilities were dropped successfully\n");
++#endif
++
+ 	initAll(argc, argv);
+ #ifdef HAVE_LIBSYSTEMD
+ 	sd_notify(0, "READY=1");
+
+From 305e07a2b757b98dc7e26c148c175901034451b9 Mon Sep 17 00:00:00 2001
+From: alakatos <alakatos@redhat.com>
+Date: Mon, 31 Oct 2022 12:30:48 +0100
+Subject: [PATCH 2/2] Add ability to change uid and gid while retaining the
+ capabilities previously specified
+
+---
+ runtime/rsconf.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/runtime/rsconf.c b/runtime/rsconf.c
+index 4620ff8d13..24d1ec3570 100644
+--- a/runtime/rsconf.c
++++ b/runtime/rsconf.c
+@@ -34,6 +34,10 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/socket.h>
++#ifdef ENABLE_LIBCAPNG
++	#include <cap-ng.h>
++#endif
++
+ 
+ #include "rsyslog.h"
+ #include "obj.h"
+@@ -656,6 +660,7 @@ rsRetVal doDropPrivGid(rsconf_t *cnf)
+ 	uchar szBuf[1024];
+ 	DEFiRet;
+ 
++#ifndef ENABLE_LIBCAPNG
+ 	if(!cnf->globals.gidDropPrivKeepSupplemental) {
+ 		res = setgroups(0, NULL); /* remove all supplemental group IDs */
+ 		if(res) {
+@@ -668,9 +673,19 @@ rsRetVal doDropPrivGid(rsconf_t *cnf)
+ 	res = setgid(cnf->globals.gidDropPriv);
+ 	if(res) {
+ 		LogError(errno, RS_RET_ERR_DROP_PRIV,
+-				"could not set requested group id %d", cnf->globals.gidDropPriv);
++				"could not set requested group id %d via setgid()", cnf->globals.gidDropPriv);
+ 		ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV);
+ 	}
++#else
++	int capng_flags = cnf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
++	res = capng_change_id(-1, cnf->globals.gidDropPriv, capng_flags);
++	if (res) {
++		LogError(0, RS_RET_LIBCAPNG_ERR,
++				"could not set requested group id %d via capng_change_id()", cnf->globals.gidDropPriv);
++		ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
++	}
++#endif
++
+ 	DBGPRINTF("setgid(%d): %d\n", cnf->globals.gidDropPriv, res);
+ 	snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d",
+ 		 cnf->globals.gidDropPriv);
+@@ -705,12 +720,18 @@ static void doDropPrivUid(rsconf_t *cnf)
+ 			cnf->globals.uidDropPriv);
+ 	}
+ 
++#ifndef ENABLE_LIBCAPNG
+ 	res = setuid(cnf->globals.uidDropPriv);
++#else
++	int capng_flags = cnf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
++	res = capng_change_id(cnf->globals.uidDropPriv, -1, capng_flags);
++#endif
+ 	if(res) {
+ 		/* if we can not set the userid, this is fatal, so let's unconditionally abort */
+ 		perror("could not set requested userid");
+ 		exit(1);
+ 	}
++
+ 	DBGPRINTF("setuid(%d): %d\n", cnf->globals.uidDropPriv, res);
+ 	snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's userid changed to %d", cnf->globals.uidDropPriv);
+ 	logmsgInternal(NO_ERRCODE, LOG_SYSLOG|LOG_INFO, szBuf, 0);

rsyslog.spec

@@ -7,8 +7,8 @@
 
 Summary: Enhanced system logging and kernel message trapping daemon
 Name: rsyslog
-Version: 8.2204.0
-Release: 3%{?dist}
+Version: 8.2210.0
+Release: 1%{?dist}
 License: (GPLv3+ and ASL 2.0)
 URL: http://www.rsyslog.com/
 Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
@@ -22,7 +22,7 @@ Source5: rsyslog.service
 Source6: qpid-proton-0.34.0.tar.gz
 
 Patch0: openssl3-compatibility.patch
-Patch1: rsyslog-8.2204.0-rhbz2082302-CVE-heap-based-buffer-overflow.patch
+Patch1: rsyslog-8.2210.0-rhbz2127403-drop-capabilities.patch
 
 BuildRequires: make
 BuildRequires: gcc
@@ -42,6 +42,7 @@ BuildRequires: python3-docutils
 BuildRequires: systemd-devel >= 204-8
 BuildRequires: zlib-devel
 BuildRequires: openssl-devel
+BuildRequires: libcap-ng-devel
 
 Requires: openssl-libs
 Recommends: %{name}-logrotate = %version-%release
@@ -300,7 +301,7 @@ pushd ..
 %patch0 -p1 -b .openssl-compatibility
 popd
 
-%patch1 -p1 -b .CVE-buffer-overflow
+%patch1 -p1 -b .libcap-ng
 
 %build
 %ifarch sparc64
@@ -350,6 +351,7 @@ autoreconf -if
 	--enable-clickhouse \
 	--enable-imdocker \
 	--enable-improg \
+	--enable-libcap-ng \
 	--enable-libdbi \
 	--enable-omamqp1 \
 	--enable-omhiredis \
@@ -586,6 +588,12 @@ done
 
 
 %changelog
+* Wed Nov 09 2022 Attila Lakatos <alakatos@redhat.com> - 8.2210.0-1
+- rebase to 8.2210.0
+  resolves: rhbz#2097173
+- Drop capabilities to the necessary set via libcap-ng
+  resolves: rhbz#2127403
+
 * Wed Jul 27 2022 Attila Lakatos <alakatos@redhat.com> - 8.2204.0-3
 - Restore default omfile template
   resolves: rhbz#2088618

sources

@@ -1,3 +1,3 @@
-SHA512 (rsyslog-8.2204.0.tar.gz) = d26ab950788b8931b895719f7d8a42509f709b69a76e4188df16f72be050863ee402310ad9300840fed4ac089638497725d67433172778be7b2932fa82210472
-SHA512 (rsyslog-doc-8.2204.0.tar.gz) = 361528b95c1f02cdc2b2ca8ba5252c8215996e81ef1602e08c46be4e1fd8c1c287dd7d52ae9b2b58c0ec7fe38d7079a89e10642ac3f34fe0b6c5737968999fb4
 SHA512 (qpid-proton-0.34.0.tar.gz) = 0de6c3d11baeee1d69821a0f1879a61b314f14589e02ea7ed0de8814c741217fdcafdd978b4061f73bc75588886299f4ac6808021506545ec8a883f39ad54fb3
+SHA512 (rsyslog-8.2210.0.tar.gz) = c665b7f7a3c5ef31c9b62b50f815cfbb52db0cbe4a06934f4f1c3cd2a56fb49c319d33857ee92ab843aa5894cac16c16b8eccdf83714f31ab57a95049c4af231
+SHA512 (rsyslog-doc-8.2210.0.tar.gz) = e7847a9307a91fdf87d6cf91d2391eb75869679905b9598310c456fb3fe1864fc06dbdc649778f5b3788e47ffda0a6d89cb894258e55db441f7df7e74b0ae9f4