diff --git a/.gitignore b/.gitignore index c2bb745..54c1f3c 100644 --- a/.gitignore +++ b/.gitignore @@ -83,3 +83,5 @@ rsyslog-4.6.3.tar.gz /qpid-proton-0.34.0.tar.gz /rsyslog-8.2204.0.tar.gz /rsyslog-doc-8.2204.0.tar.gz +/rsyslog-8.2210.0.tar.gz +/rsyslog-doc-8.2210.0.tar.gz diff --git a/rsyslog-8.2204.0-rhbz2082302-CVE-heap-based-buffer-overflow.patch b/rsyslog-8.2204.0-rhbz2082302-CVE-heap-based-buffer-overflow.patch deleted file mode 100644 index cfdfc59..0000000 --- a/rsyslog-8.2204.0-rhbz2082302-CVE-heap-based-buffer-overflow.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff --git a/contrib/imhttp/imhttp.c b/contrib/imhttp/imhttp.c -index f09260b586..95704af985 100644 ---- a/contrib/imhttp/imhttp.c -+++ b/contrib/imhttp/imhttp.c -@@ -487,7 +487,9 @@ processOctetMsgLen(const instanceConf_t *const inst, struct conn_wrkr_s *connWrk - connWrkr->parseState.iOctetsRemain = connWrkr->parseState.iOctetsRemain * 10 + ch - '0'; - } - // temporarily save this character into the message buffer -- connWrkr->pMsg[connWrkr->iMsg++] = ch; -+ if(connWrkr->iMsg + 1 < s_iMaxLine) { -+ connWrkr->pMsg[connWrkr->iMsg++] = ch; -+ } - } else { - const char *remoteAddr = ""; - if (connWrkr->propRemoteAddr) { -diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c -index 2df46a236c..c32dec5851 100644 ---- a/plugins/imptcp/imptcp.c -+++ b/plugins/imptcp/imptcp.c -@@ -1107,7 +1107,9 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis, - if(pThis->iOctetsRemain <= 200000000) { - pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; - } -- *(pThis->pMsg + pThis->iMsg++) = c; -+ if(pThis->iMsg < iMaxLine) { -+ *(pThis->pMsg + pThis->iMsg++) = c; -+ } - } else { /* done with the octet count, so this must be the SP terminator */ - DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain); - prop.GetString(pThis->peerName, &propPeerName, &lenPeerName); -diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c -index 0efa2c23c4..c5442f7638 100644 ---- a/runtime/tcps_sess.c -+++ b/runtime/tcps_sess.c -@@ -390,7 +390,9 @@ processDataRcvd(tcps_sess_t *pThis, - if(pThis->iOctetsRemain <= 200000000) { - pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; - } -- *(pThis->pMsg + pThis->iMsg++) = c; -+ if(pThis->iMsg < iMaxLine) { -+ *(pThis->pMsg + pThis->iMsg++) = c; -+ } - } else { /* done with the octet count, so this must be the SP terminator */ - DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain); - prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName); diff --git a/rsyslog-8.2210.0-rhbz2127403-drop-capabilities.patch b/rsyslog-8.2210.0-rhbz2127403-drop-capabilities.patch new file mode 100644 index 0000000..6b3f43f --- /dev/null +++ b/rsyslog-8.2210.0-rhbz2127403-drop-capabilities.patch @@ -0,0 +1,258 @@ +From e9f85312630eb25d0985e911475803bd06f4173e Mon Sep 17 00:00:00 2001 +From: alakatos +Date: Thu, 13 Oct 2022 10:41:38 +0200 +Subject: [PATCH 1/2] Introduce --enable-libcap-ng configure option + +The option allows to drop the capabilities to only +the necessary set, to minimize security exposure in +case there was ever a mistake in a networking +plugin or some other input resource. Resolves #4986 +--- + configure.ac | 24 ++++++++++++++++++++++++ + runtime/debug.c | 4 ++-- + runtime/modules.c | 6 +++--- + runtime/rsyslog.h | 1 + + tools/rsyslogd.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 72 insertions(+), 5 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 9f73a708d0..958c26245e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -377,6 +377,28 @@ AC_ARG_ENABLE(fmhash, + [enable_fmhash=yes] + ) + ++AC_ARG_ENABLE(libcap-ng, ++ [AS_HELP_STRING([--enable-libcap-ng],[Enable dropping capabilities to only the necessary set @<:@default=no@:>@])], ++ [case "${enableval}" in ++ yes) enable_libcapng="yes" ;; ++ no) enable_libcapng="no" ;; ++ *) AC_MSG_ERROR(bad value ${enableval} for --enable_libcapng) ;; ++ esac], ++ [enable_libcapng=no] ++) ++ ++if test "$enable_libcapng" = "yes"; then ++ PKG_CHECK_MODULES( ++ [LIBCAPNG], ++ [libcap-ng >= 0.8.2], ++ [AC_DEFINE([ENABLE_LIBCAPNG], [1], [Indicator that libcap-ng is present])], ++ [AC_MSG_ERROR(libcap-ng is not present.)] ++ ) ++ CFLAGS="$CFLAGS $LIBCAPNG_CFLAGS" ++ LIBS="$LIBS $LIBCAPNG_LIBS" ++fi ++ ++ + AC_ARG_ENABLE(fmhash-xxhash, + [AS_HELP_STRING([--enable-fmhash-xxhash],[Enable xxhash in fmhash support @<:@default=no@:>@])], + [case "${enableval}" in +@@ -2820,6 +2842,8 @@ echo " liblogging-stdlog support enabled: $enable_liblogging_stdlog" + echo " libsystemd enabled: $enable_libsystemd" + echo " kafka static linking enabled: $enable_kafka_static" + echo " atomic operations enabled: $enable_atomic_operations" ++echo " libcap-ng support enabled: $enable_libcapng" ++ + echo + echo "---{ input plugins }---" + if test "$unamestr" != "AIX"; then +diff --git a/runtime/debug.c b/runtime/debug.c +index a655bc2e4e..6e6c9fd38f 100644 +--- a/runtime/debug.c ++++ b/runtime/debug.c +@@ -250,7 +250,7 @@ r_dbgoprint( const char *srcname, obj_t *pObj, const char *fmt, ...) + + if(!(Debug && debugging_on)) + return; +- ++ + if(!checkDbgFile(srcname)) { + return; + } +@@ -435,7 +435,7 @@ rsRetVal dbgClassInit(void) + { + rsRetVal iRet; /* do not use DEFiRet, as this makes calls into the debug system! */ + +- ++ + (void) pthread_key_create(&keyThrdName, dbgThrdNameDestruct); + + /* while we try not to use any of the real rsyslog code (to avoid infinite loops), we +diff --git a/runtime/modules.c b/runtime/modules.c +index 810b2e9b52..b39bd9f066 100644 +--- a/runtime/modules.c ++++ b/runtime/modules.c +@@ -595,7 +595,7 @@ doModInit(pModInit_t modInit, uchar *name, void *pModHdlr, modInfo_t **pNewModul + CHKiRet((*pNew->modQueryEtryPt)((uchar*)"getKeepType", &modGetKeepType)); + CHKiRet((*modGetKeepType)(&pNew->eKeepType)); + dbgprintf("module %s of type %d being loaded (keepType=%d).\n", name, pNew->eType, pNew->eKeepType); +- ++ + /* OK, we know we can successfully work with the module. So we now fill the + * rest of the data elements. First we load the interfaces common to all + * module types. +@@ -1242,7 +1242,7 @@ Load(uchar *const pModName, const sbool bConfLoad, struct nvlst *const lst) + } + + iLoadCnt++; +- ++ + } while(pModHdlr == NULL && *pModName != '/' && pModDirNext); + + if(load_err_msg != NULL) { +@@ -1323,7 +1323,7 @@ modulesProcessCnf(struct cnfobj *o) + + cnfModName = (uchar*)es_str2cstr(pvals[typeIdx].val.d.estr, NULL); + iRet = Load(cnfModName, 1, o->nvlst); +- ++ + finalize_it: + free(cnfModName); + cnfparamvalsDestruct(pvals, &pblk); +diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h +index 908e5e7b73..01616d8f7d 100644 +--- a/runtime/rsyslog.h ++++ b/runtime/rsyslog.h +@@ -604,6 +604,7 @@ enum rsRetVal_ /** return value. All methods return this if not specified oth + RS_RET_REDIS_ERROR = -2452, /**< redis-specific error. See message foe details. */ + RS_RET_REDIS_AUTH_FAILED = -2453, /**< redis authentication failure */ + RS_RET_FAUP_INIT_OPTIONS_FAILED = -2454, /**< could not initialize faup options */ ++ RS_RET_LIBCAPNG_ERR = -2455, /**< error during dropping the capabilities */ + + /* RainerScript error messages (range 1000.. 1999) */ + RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */ +diff --git a/tools/rsyslogd.c b/tools/rsyslogd.c +index 31b91a1bd1..c209e1bcdd 100644 +--- a/tools/rsyslogd.c ++++ b/tools/rsyslogd.c +@@ -37,6 +37,9 @@ + #ifdef HAVE_LIBSYSTEMD + # include + #endif ++#ifdef ENABLE_LIBCAPNG ++ #include ++#endif + + #include "rsyslog.h" + #include "wti.h" +@@ -2167,6 +2170,45 @@ main(int argc, char **argv) + fjson_global_do_case_sensitive_comparison(0); + + dbgClassInit(); ++ ++#ifdef ENABLE_LIBCAPNG ++ /* ++ * Drop capabilities to the necessary set ++ */ ++ int capng_rc; ++ capng_clear(CAPNG_SELECT_BOTH); ++ ++ if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, ++ CAP_BLOCK_SUSPEND, ++ CAP_CHOWN, ++ CAP_IPC_LOCK, ++ CAP_LEASE, ++ CAP_NET_ADMIN, ++ CAP_NET_BIND_SERVICE, ++ CAP_PERFMON, ++ CAP_SETGID, ++ CAP_SETUID, ++ CAP_SYS_ADMIN, ++ CAP_SYS_CHROOT, ++ CAP_SYS_RESOURCE, ++ CAP_SYSLOG, ++ -1 ++ )) != 0) { ++ LogError(0, RS_RET_LIBCAPNG_ERR, ++ "could not update the internal posix capabilities settings " ++ "based on the options passed to it, capng_updatev=%d\n", capng_rc); ++ exit(-1); ++ } ++ ++ if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) { ++ LogError(0, RS_RET_LIBCAPNG_ERR, ++ "could not transfer the specified internal posix capabilities " ++ "settings to the kernel, capng_apply=%d\n", capng_rc); ++ exit(-1); ++ } ++ DBGPRINTF("Capabilities were dropped successfully\n"); ++#endif ++ + initAll(argc, argv); + #ifdef HAVE_LIBSYSTEMD + sd_notify(0, "READY=1"); + +From 305e07a2b757b98dc7e26c148c175901034451b9 Mon Sep 17 00:00:00 2001 +From: alakatos +Date: Mon, 31 Oct 2022 12:30:48 +0100 +Subject: [PATCH 2/2] Add ability to change uid and gid while retaining the + capabilities previously specified + +--- + runtime/rsconf.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/runtime/rsconf.c b/runtime/rsconf.c +index 4620ff8d13..24d1ec3570 100644 +--- a/runtime/rsconf.c ++++ b/runtime/rsconf.c +@@ -34,6 +34,10 @@ + #include + #include + #include ++#ifdef ENABLE_LIBCAPNG ++ #include ++#endif ++ + + #include "rsyslog.h" + #include "obj.h" +@@ -656,6 +660,7 @@ rsRetVal doDropPrivGid(rsconf_t *cnf) + uchar szBuf[1024]; + DEFiRet; + ++#ifndef ENABLE_LIBCAPNG + if(!cnf->globals.gidDropPrivKeepSupplemental) { + res = setgroups(0, NULL); /* remove all supplemental group IDs */ + if(res) { +@@ -668,9 +673,19 @@ rsRetVal doDropPrivGid(rsconf_t *cnf) + res = setgid(cnf->globals.gidDropPriv); + if(res) { + LogError(errno, RS_RET_ERR_DROP_PRIV, +- "could not set requested group id %d", cnf->globals.gidDropPriv); ++ "could not set requested group id %d via setgid()", cnf->globals.gidDropPriv); + ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV); + } ++#else ++ int capng_flags = cnf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP; ++ res = capng_change_id(-1, cnf->globals.gidDropPriv, capng_flags); ++ if (res) { ++ LogError(0, RS_RET_LIBCAPNG_ERR, ++ "could not set requested group id %d via capng_change_id()", cnf->globals.gidDropPriv); ++ ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR); ++ } ++#endif ++ + DBGPRINTF("setgid(%d): %d\n", cnf->globals.gidDropPriv, res); + snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d", + cnf->globals.gidDropPriv); +@@ -705,12 +720,18 @@ static void doDropPrivUid(rsconf_t *cnf) + cnf->globals.uidDropPriv); + } + ++#ifndef ENABLE_LIBCAPNG + res = setuid(cnf->globals.uidDropPriv); ++#else ++ int capng_flags = cnf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP; ++ res = capng_change_id(cnf->globals.uidDropPriv, -1, capng_flags); ++#endif + if(res) { + /* if we can not set the userid, this is fatal, so let's unconditionally abort */ + perror("could not set requested userid"); + exit(1); + } ++ + DBGPRINTF("setuid(%d): %d\n", cnf->globals.uidDropPriv, res); + snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's userid changed to %d", cnf->globals.uidDropPriv); + logmsgInternal(NO_ERRCODE, LOG_SYSLOG|LOG_INFO, szBuf, 0); diff --git a/rsyslog.spec b/rsyslog.spec index 54efe70..5063094 100644 --- a/rsyslog.spec +++ b/rsyslog.spec @@ -7,8 +7,8 @@ Summary: Enhanced system logging and kernel message trapping daemon Name: rsyslog -Version: 8.2204.0 -Release: 3%{?dist} +Version: 8.2210.0 +Release: 1%{?dist} License: (GPLv3+ and ASL 2.0) URL: http://www.rsyslog.com/ Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz @@ -22,7 +22,7 @@ Source5: rsyslog.service Source6: qpid-proton-0.34.0.tar.gz Patch0: openssl3-compatibility.patch -Patch1: rsyslog-8.2204.0-rhbz2082302-CVE-heap-based-buffer-overflow.patch +Patch1: rsyslog-8.2210.0-rhbz2127403-drop-capabilities.patch BuildRequires: make BuildRequires: gcc @@ -42,6 +42,7 @@ BuildRequires: python3-docutils BuildRequires: systemd-devel >= 204-8 BuildRequires: zlib-devel BuildRequires: openssl-devel +BuildRequires: libcap-ng-devel Requires: openssl-libs Recommends: %{name}-logrotate = %version-%release @@ -300,7 +301,7 @@ pushd .. %patch0 -p1 -b .openssl-compatibility popd -%patch1 -p1 -b .CVE-buffer-overflow +%patch1 -p1 -b .libcap-ng %build %ifarch sparc64 @@ -350,6 +351,7 @@ autoreconf -if --enable-clickhouse \ --enable-imdocker \ --enable-improg \ + --enable-libcap-ng \ --enable-libdbi \ --enable-omamqp1 \ --enable-omhiredis \ @@ -586,6 +588,12 @@ done %changelog +* Wed Nov 09 2022 Attila Lakatos - 8.2210.0-1 +- rebase to 8.2210.0 + resolves: rhbz#2097173 +- Drop capabilities to the necessary set via libcap-ng + resolves: rhbz#2127403 + * Wed Jul 27 2022 Attila Lakatos - 8.2204.0-3 - Restore default omfile template resolves: rhbz#2088618 diff --git a/sources b/sources index 660b19b..4004c45 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (rsyslog-8.2204.0.tar.gz) = d26ab950788b8931b895719f7d8a42509f709b69a76e4188df16f72be050863ee402310ad9300840fed4ac089638497725d67433172778be7b2932fa82210472 -SHA512 (rsyslog-doc-8.2204.0.tar.gz) = 361528b95c1f02cdc2b2ca8ba5252c8215996e81ef1602e08c46be4e1fd8c1c287dd7d52ae9b2b58c0ec7fe38d7079a89e10642ac3f34fe0b6c5737968999fb4 SHA512 (qpid-proton-0.34.0.tar.gz) = 0de6c3d11baeee1d69821a0f1879a61b314f14589e02ea7ed0de8814c741217fdcafdd978b4061f73bc75588886299f4ac6808021506545ec8a883f39ad54fb3 +SHA512 (rsyslog-8.2210.0.tar.gz) = c665b7f7a3c5ef31c9b62b50f815cfbb52db0cbe4a06934f4f1c3cd2a56fb49c319d33857ee92ab843aa5894cac16c16b8eccdf83714f31ab57a95049c4af231 +SHA512 (rsyslog-doc-8.2210.0.tar.gz) = e7847a9307a91fdf87d6cf91d2391eb75869679905b9598310c456fb3fe1864fc06dbdc649778f5b3788e47ffda0a6d89cb894258e55db441f7df7e74b0ae9f4