Fix CVE-2014-3634
This commit is contained in:
parent
61a73b8bf4
commit
c3ce4569e8
257
rsyslog-7.4.10-cve-2014-3634.patch
Normal file
257
rsyslog-7.4.10-cve-2014-3634.patch
Normal file
@ -0,0 +1,257 @@
|
||||
From 0d7a31540b25b2942ae35dd3c62d9ee33020a157 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Heinrich <theinric@redhat.com>
|
||||
Date: Tue, 7 Oct 2014 10:24:06 +0200
|
||||
Subject: [PATCH] fix CVE-2014-3634
|
||||
|
||||
See the following links for details:
|
||||
https://access.redhat.com/security/cve/CVE-2014-3634
|
||||
http://www.rsyslog.com/remote-syslog-pri-vulnerability/
|
||||
---
|
||||
grammar/rainerscript.h | 4 +--
|
||||
runtime/msg.c | 33 ++++++++++++++++---------
|
||||
runtime/parser.c | 13 ++++++----
|
||||
runtime/rsyslog.h | 66 ++++++++++++++++++++++++++++++++++++++++---------
|
||||
runtime/srutils.c | 1 +
|
||||
runtime/syslogd-types.h | 3 ---
|
||||
6 files changed, 88 insertions(+), 32 deletions(-)
|
||||
|
||||
diff --git a/grammar/rainerscript.h b/grammar/rainerscript.h
|
||||
index 0657330..52050e4 100644
|
||||
--- a/grammar/rainerscript.h
|
||||
+++ b/grammar/rainerscript.h
|
||||
@@ -7,8 +7,8 @@
|
||||
#include <regex.h>
|
||||
#include "typedefs.h"
|
||||
|
||||
-
|
||||
-#define LOG_NFACILITIES 24 /* current number of syslog facilities */
|
||||
+#define LOG_NFACILITIES 24+1 /* This is a dupe from rsyslog.h, but we can't include it as
|
||||
+ I don't know how to get hold of that damn off64_t data type... */
|
||||
#define CNFFUNC_MAX_ARGS 32
|
||||
/**< maximum number of arguments that any function can have (among
|
||||
* others, this is used to size data structures).
|
||||
diff --git a/runtime/msg.c b/runtime/msg.c
|
||||
index 10ecf48..abb58c9 100644
|
||||
--- a/runtime/msg.c
|
||||
+++ b/runtime/msg.c
|
||||
@@ -90,7 +90,7 @@ static char *two_digits[100] = {
|
||||
static struct {
|
||||
uchar *pszName;
|
||||
short lenName;
|
||||
-} syslog_pri_names[192] = {
|
||||
+} syslog_pri_names[200] = {
|
||||
{ UCHAR_CONSTANT("0"), 3},
|
||||
{ UCHAR_CONSTANT("1"), 3},
|
||||
{ UCHAR_CONSTANT("2"), 3},
|
||||
@@ -282,22 +282,30 @@ static struct {
|
||||
{ UCHAR_CONSTANT("188"), 5},
|
||||
{ UCHAR_CONSTANT("189"), 5},
|
||||
{ UCHAR_CONSTANT("190"), 5},
|
||||
- { UCHAR_CONSTANT("191"), 5}
|
||||
+ { UCHAR_CONSTANT("191"), 5},
|
||||
+ { UCHAR_CONSTANT("192"), 5},
|
||||
+ { UCHAR_CONSTANT("193"), 5},
|
||||
+ { UCHAR_CONSTANT("194"), 5},
|
||||
+ { UCHAR_CONSTANT("195"), 5},
|
||||
+ { UCHAR_CONSTANT("196"), 5},
|
||||
+ { UCHAR_CONSTANT("197"), 5},
|
||||
+ { UCHAR_CONSTANT("198"), 5},
|
||||
+ { UCHAR_CONSTANT("199"), 5},
|
||||
};
|
||||
static char hexdigit[16] =
|
||||
{'0', '1', '2', '3', '4', '5', '6', '7', '8',
|
||||
'9', 'A', 'B', 'C', 'D', 'E', 'F' };
|
||||
|
||||
/*syslog facility names (as of RFC5424) */
|
||||
-static char *syslog_fac_names[24] = { "kern", "user", "mail", "daemon", "auth", "syslog", "lpr",
|
||||
+static char *syslog_fac_names[LOG_NFACILITIES] = { "kern", "user", "mail", "daemon", "auth", "syslog", "lpr",
|
||||
"news", "uucp", "cron", "authpriv", "ftp", "ntp", "audit",
|
||||
"alert", "clock", "local0", "local1", "local2", "local3",
|
||||
- "local4", "local5", "local6", "local7" };
|
||||
+ "local4", "local5", "local6", "local7", "invld" };
|
||||
/* length of the facility names string (for optimizatiions) */
|
||||
-static short len_syslog_fac_names[24] = { 4, 4, 4, 6, 4, 6, 3,
|
||||
+static short len_syslog_fac_names[LOG_NFACILITIES] = { 4, 4, 4, 6, 4, 6, 3,
|
||||
4, 4, 4, 8, 3, 3, 5,
|
||||
5, 5, 6, 6, 6, 6,
|
||||
- 6, 6, 6, 6 };
|
||||
+ 6, 6, 6, 6, 5 };
|
||||
|
||||
/* table of severity names (in numerical order)*/
|
||||
static char *syslog_severity_names[8] = { "emerg", "alert", "crit", "err", "warning", "notice", "info", "debug" };
|
||||
@@ -307,8 +315,8 @@ static short len_syslog_severity_names[8] = { 5, 5, 4, 3, 7, 6, 4, 5 };
|
||||
* and facility values to a numerical string... -- rgerhars, 2009-06-17
|
||||
*/
|
||||
|
||||
-static char *syslog_number_names[24] = { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13", "14",
|
||||
- "15", "16", "17", "18", "19", "20", "21", "22", "23" };
|
||||
+static char *syslog_number_names[LOG_NFACILITIES] = { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13", "14",
|
||||
+ "15", "16", "17", "18", "19", "20", "21", "22", "23", "24" };
|
||||
|
||||
/* global variables */
|
||||
#if defined(HAVE_MALLOC_TRIM) && !defined(HAVE_ATOMIC_BUILTINS)
|
||||
@@ -678,8 +686,8 @@ static inline rsRetVal msgBaseConstruct(msg_t **ppThis)
|
||||
pM->flowCtlType = 0;
|
||||
pM->bParseSuccess = 0;
|
||||
pM->iRefCount = 1;
|
||||
- pM->iSeverity = -1;
|
||||
- pM->iFacility = -1;
|
||||
+ pM->iSeverity = LOG_DEBUG;
|
||||
+ pM->iFacility = LOG_INVLD;
|
||||
pM->iLenPROGNAME = -1;
|
||||
pM->offAfterPRI = 0;
|
||||
pM->offMSG = -1;
|
||||
@@ -1499,7 +1507,10 @@ uchar *getMSG(msg_t *pM)
|
||||
/* Get PRI value as integer */
|
||||
static int getPRIi(msg_t *pM)
|
||||
{
|
||||
- return (pM->iFacility << 3) + (pM->iSeverity);
|
||||
+ unsigned pri = (pM->iFacility << 3) + (pM->iSeverity);
|
||||
+ if(pri > LOG_MAXPRI)
|
||||
+ pri = LOG_PRI_INVLD;
|
||||
+ return pri;
|
||||
}
|
||||
|
||||
|
||||
diff --git a/runtime/parser.c b/runtime/parser.c
|
||||
index 74b28f4..e708b33 100644
|
||||
--- a/runtime/parser.c
|
||||
+++ b/runtime/parser.c
|
||||
@@ -444,7 +444,7 @@ finalize_it:
|
||||
static inline rsRetVal
|
||||
ParsePRI(msg_t *pMsg)
|
||||
{
|
||||
- int pri;
|
||||
+ unsigned pri;
|
||||
uchar *msg;
|
||||
int lenMsg;
|
||||
DEFiRet;
|
||||
@@ -463,13 +463,16 @@ ParsePRI(msg_t *pMsg)
|
||||
* but it offers us performance...
|
||||
*/
|
||||
pri = 0;
|
||||
- while(--lenMsg > 0 && isdigit((int) *++msg)) {
|
||||
+ while(--lenMsg > 0 && isdigit((int) *++msg) && pri <= LOG_MAXPRI) {
|
||||
pri = 10 * pri + (*msg - '0');
|
||||
}
|
||||
- if(*msg == '>')
|
||||
+ if(*msg == '>') {
|
||||
++msg;
|
||||
- if(pri & ~(LOG_FACMASK|LOG_PRIMASK))
|
||||
- pri = DEFUPRI;
|
||||
+ } else {
|
||||
+ pri = LOG_PRI_INVLD;
|
||||
+ }
|
||||
+ if(pri > LOG_MAXPRI)
|
||||
+ pri = LOG_PRI_INVLD;
|
||||
}
|
||||
pMsg->iFacility = LOG_FAC(pri);
|
||||
pMsg->iSeverity = LOG_PRI(pri);
|
||||
diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h
|
||||
index e62ba86..37c4b1b 100644
|
||||
--- a/runtime/rsyslog.h
|
||||
+++ b/runtime/rsyslog.h
|
||||
@@ -76,19 +76,63 @@
|
||||
* # End Config Settings # *
|
||||
* ############################################################# */
|
||||
|
||||
-/* portability: not all platforms have these defines, so we
|
||||
- * define them here if they are missing. -- rgerhards, 2008-03-04
|
||||
+/* make sure we uses consistent macros, no matter what the
|
||||
+ * platform gives us.
|
||||
*/
|
||||
-#ifndef LOG_MAKEPRI
|
||||
-# define LOG_MAKEPRI(fac, pri) (((fac) << 3) | (pri))
|
||||
-#endif
|
||||
-#ifndef LOG_PRI
|
||||
-# define LOG_PRI(p) ((p) & LOG_PRIMASK)
|
||||
-#endif
|
||||
-#ifndef LOG_FAC
|
||||
-# define LOG_FAC(p) (((p) & LOG_FACMASK) >> 3)
|
||||
-#endif
|
||||
+#define LOG_NFACILITIES 24+1 /* plus one for our special "invld" facility! */
|
||||
+#define LOG_MAXPRI 191 /* highest supported valid PRI value --> RFC3164, RFC5424 */
|
||||
+#undef LOG_MAKEPRI
|
||||
+#define LOG_PRI_INVLD (LOG_INVLD|LOG_DEBUG) /* PRI is invalid --> special "invld.=debug" PRI code (rsyslog-specific) */
|
||||
+
|
||||
+#define LOG_EMERG 0 /* system is unusable */
|
||||
+#define LOG_ALERT 1 /* action must be taken immediately */
|
||||
+#define LOG_CRIT 2 /* critical conditions */
|
||||
+#define LOG_ERR 3 /* error conditions */
|
||||
+#define LOG_WARNING 4 /* warning conditions */
|
||||
+#define LOG_NOTICE 5 /* normal but significant condition */
|
||||
+#define LOG_INFO 6 /* informational */
|
||||
+#define LOG_DEBUG 7 /* debug-level messages */
|
||||
+
|
||||
+#define LOG_KERN (0<<3) /* kernel messages */
|
||||
+#define LOG_USER (1<<3) /* random user-level messages */
|
||||
+#define LOG_MAIL (2<<3) /* mail system */
|
||||
+#define LOG_DAEMON (3<<3) /* system daemons */
|
||||
+#define LOG_AUTH (4<<3) /* security/authorization messages */
|
||||
+#define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */
|
||||
+#define LOG_LPR (6<<3) /* line printer subsystem */
|
||||
+#define LOG_NEWS (7<<3) /* network news subsystem */
|
||||
+#define LOG_UUCP (8<<3) /* UUCP subsystem */
|
||||
+#define LOG_CRON (9<<3) /* clock daemon */
|
||||
+#define LOG_AUTHPRIV (10<<3) /* security/authorization messages (private) */
|
||||
+#define LOG_FTP (11<<3) /* ftp daemon */
|
||||
+#define LOG_LOCAL0 (16<<3) /* reserved for local use */
|
||||
+#define LOG_LOCAL1 (17<<3) /* reserved for local use */
|
||||
+#define LOG_LOCAL2 (18<<3) /* reserved for local use */
|
||||
+#define LOG_LOCAL3 (19<<3) /* reserved for local use */
|
||||
+#define LOG_LOCAL4 (20<<3) /* reserved for local use */
|
||||
+#define LOG_LOCAL5 (21<<3) /* reserved for local use */
|
||||
+#define LOG_LOCAL6 (22<<3) /* reserved for local use */
|
||||
+#define LOG_LOCAL7 (23<<3) /* reserved for local use */
|
||||
+#define LOG_FAC_INVLD 24
|
||||
+#define LOG_INVLD (LOG_FAC_INVLD<<3) /* invalid facility/PRI code */
|
||||
+
|
||||
+/* we need to use a function to avoid side-effects. This MUST guard
|
||||
+ * against invalid facility values. rgerhards, 2014-09-16
|
||||
+ */
|
||||
+static inline int pri2fac(const int pri)
|
||||
+{
|
||||
+ unsigned fac = pri >> 3;
|
||||
+ return (fac > 23) ? LOG_FAC_INVLD : fac;
|
||||
+}
|
||||
+
|
||||
+#define LOG_FAC(x) pri2fac(x)
|
||||
+
|
||||
+static inline int pri2sev(const int pri)
|
||||
+{
|
||||
+ return pri & 0x07;
|
||||
+}
|
||||
|
||||
+#define LOG_PRI(x) pri2sev(x)
|
||||
|
||||
/* the rsyslog core provides information about present feature to plugins
|
||||
* asking it. Below are feature-test macros which must be used to query
|
||||
diff --git a/runtime/srutils.c b/runtime/srutils.c
|
||||
index 6a509b4..4f9f6c1 100644
|
||||
--- a/runtime/srutils.c
|
||||
+++ b/runtime/srutils.c
|
||||
@@ -103,6 +103,7 @@ syslogName_t syslogFacNames[] = {
|
||||
{"local5", LOG_LOCAL5},
|
||||
{"local6", LOG_LOCAL6},
|
||||
{"local7", LOG_LOCAL7},
|
||||
+ {"invld", LOG_INVLD},
|
||||
{NULL, -1},
|
||||
};
|
||||
|
||||
diff --git a/runtime/syslogd-types.h b/runtime/syslogd-types.h
|
||||
index 6947a11..8aee425 100644
|
||||
--- a/runtime/syslogd-types.h
|
||||
+++ b/runtime/syslogd-types.h
|
||||
@@ -27,9 +27,6 @@
|
||||
|
||||
#include "stringbuf.h"
|
||||
#include <sys/param.h>
|
||||
-#if HAVE_SYSLOG_H
|
||||
-#include <syslog.h>
|
||||
-#endif
|
||||
|
||||
/* we use RSTRUE/FALSE to prevent name claches with other packages */
|
||||
#define RSFALSE 0
|
||||
--
|
||||
1.9.3
|
||||
|
@ -11,7 +11,7 @@
|
||||
Summary: Enhanced system logging and kernel message trapping daemon
|
||||
Name: rsyslog
|
||||
Version: 7.4.10
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: (GPLv3+ and ASL 2.0)
|
||||
Group: System Environment/Daemons
|
||||
URL: http://www.rsyslog.com/
|
||||
@ -33,6 +33,7 @@ Patch6: rsyslog-7.4.7-atomicops.patch
|
||||
Patch8: rsyslog-7.4.8-bz1026804-imjournal-message-loss.patch
|
||||
# json_tokener_errors is gone in current json-c
|
||||
Patch9: rsyslog-7.4.10-json-c-fix.patch
|
||||
Patch10: rsyslog-7.4.10-cve-2014-3634.patch
|
||||
|
||||
BuildRequires: bison
|
||||
BuildRequires: flex
|
||||
@ -257,6 +258,7 @@ of source ports.
|
||||
%patch6 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1 -b .jsonfix
|
||||
%patch10 -p1
|
||||
|
||||
%build
|
||||
%ifarch sparc64
|
||||
@ -488,6 +490,9 @@ done
|
||||
%{_libdir}/rsyslog/omudpspoof.so
|
||||
|
||||
%changelog
|
||||
* Tue Oct 07 2014 Tomas Heinrich <theinric@redhat.com> 7.4.10-5
|
||||
- fix CVE-2014-3634
|
||||
|
||||
* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 7.4.10-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user