From 81c2ffa0f1503a2882621daf8259caafe2bc88c4 Mon Sep 17 00:00:00 2001 From: alakatos Date: Mon, 9 May 2022 08:31:33 +0200 Subject: [PATCH] rebase to 8.2204.0 resolves: rhbz#1951970 CVE-2022-24903 rsyslog: Heap-based overflow in TCP syslog server resolves: rhbz#2082302 --- ...82302-CVE-heap-based-buffer-overflow.patch | 45 +++++++++++++++++++ rsyslog.spec | 12 ++++- 2 files changed, 55 insertions(+), 2 deletions(-) create mode 100644 rsyslog-8.2204.0-rhbz2082302-CVE-heap-based-buffer-overflow.patch diff --git a/rsyslog-8.2204.0-rhbz2082302-CVE-heap-based-buffer-overflow.patch b/rsyslog-8.2204.0-rhbz2082302-CVE-heap-based-buffer-overflow.patch new file mode 100644 index 0000000..cfdfc59 --- /dev/null +++ b/rsyslog-8.2204.0-rhbz2082302-CVE-heap-based-buffer-overflow.patch @@ -0,0 +1,45 @@ +diff --git a/contrib/imhttp/imhttp.c b/contrib/imhttp/imhttp.c +index f09260b586..95704af985 100644 +--- a/contrib/imhttp/imhttp.c ++++ b/contrib/imhttp/imhttp.c +@@ -487,7 +487,9 @@ processOctetMsgLen(const instanceConf_t *const inst, struct conn_wrkr_s *connWrk + connWrkr->parseState.iOctetsRemain = connWrkr->parseState.iOctetsRemain * 10 + ch - '0'; + } + // temporarily save this character into the message buffer +- connWrkr->pMsg[connWrkr->iMsg++] = ch; ++ if(connWrkr->iMsg + 1 < s_iMaxLine) { ++ connWrkr->pMsg[connWrkr->iMsg++] = ch; ++ } + } else { + const char *remoteAddr = ""; + if (connWrkr->propRemoteAddr) { +diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c +index 2df46a236c..c32dec5851 100644 +--- a/plugins/imptcp/imptcp.c ++++ b/plugins/imptcp/imptcp.c +@@ -1107,7 +1107,9 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis, + if(pThis->iOctetsRemain <= 200000000) { + pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; + } +- *(pThis->pMsg + pThis->iMsg++) = c; ++ if(pThis->iMsg < iMaxLine) { ++ *(pThis->pMsg + pThis->iMsg++) = c; ++ } + } else { /* done with the octet count, so this must be the SP terminator */ + DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain); + prop.GetString(pThis->peerName, &propPeerName, &lenPeerName); +diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c +index 0efa2c23c4..c5442f7638 100644 +--- a/runtime/tcps_sess.c ++++ b/runtime/tcps_sess.c +@@ -390,7 +390,9 @@ processDataRcvd(tcps_sess_t *pThis, + if(pThis->iOctetsRemain <= 200000000) { + pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; + } +- *(pThis->pMsg + pThis->iMsg++) = c; ++ if(pThis->iMsg < iMaxLine) { ++ *(pThis->pMsg + pThis->iMsg++) = c; ++ } + } else { /* done with the octet count, so this must be the SP terminator */ + DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain); + prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName); diff --git a/rsyslog.spec b/rsyslog.spec index 2ca0722..0c32ab5 100644 --- a/rsyslog.spec +++ b/rsyslog.spec @@ -7,8 +7,8 @@ Summary: Enhanced system logging and kernel message trapping daemon Name: rsyslog -Version: 8.2102.0 -Release: 10%{?dist} +Version: 8.2204.0 +Release: 1%{?dist} License: (GPLv3+ and ASL 2.0) URL: http://www.rsyslog.com/ Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz @@ -22,6 +22,7 @@ Source5: rsyslog.service Source6: qpid-proton-0.34.0.tar.gz Patch0: openssl3-compatibility.patch +Patch1: rsyslog-8.2204.0-rhbz2082302-CVE-heap-based-buffer-overflow.patch BuildRequires: make BuildRequires: gcc @@ -299,6 +300,7 @@ pushd .. %patch0 -p1 -b .openssl-compatibility popd +%patch1 -p1 -b .CVE-buffer-overflow %build %ifarch sparc64 @@ -584,6 +586,12 @@ done %changelog +* Mon May 09 2022 Attila Lakatos - 8.2204.0 +- rebase to 8.2204.0 + resolves: rhbz#1951970 +- CVE-2022-24903 rsyslog: Heap-based overflow in TCP syslog server + resolves: rhbz#2082302 + * Mon Jan 24 2022 Attila Lakatos - 8.2102.0-10 - Rebuild package with bundled qpid-proton resolves: rhbz#2042940