aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorpsykose <alice@ayaya.dev>2022-05-08 04:48:24 +0000
committerKevin Daudt <kdaudt@alpinelinux.org>2022-05-08 04:55:05 +0000
commitb5fa16dd95c4328c5495e3bef56d124d8c0ef84a (patch)
tree234913f742cac1432a1913e09169aa389d2d3c06
parent5abd54398e6e9763c6aa6c36917143c2e515f4ae (diff)
downloadaports-b5fa16dd95c4328c5495e3bef56d124d8c0ef84a.tar.gz
aports-b5fa16dd95c4328c5495e3bef56d124d8c0ef84a.tar.bz2
aports-b5fa16dd95c4328c5495e3bef56d124d8c0ef84a.tar.xz
main/rsyslog: fix CVE-2022-24903
-rw-r--r--main/rsyslog/APKBUILD6
-rw-r--r--main/rsyslog/CVE-2022-24903.patch57
2 files changed, 62 insertions, 1 deletions
diff --git a/main/rsyslog/APKBUILD b/main/rsyslog/APKBUILD
index 477ba3c45e..49552553e9 100644
--- a/main/rsyslog/APKBUILD
+++ b/main/rsyslog/APKBUILD
@@ -6,7 +6,7 @@
# Maintainer: Cameron Banta <cbanta@gmail.com>
pkgname=rsyslog
pkgver=8.2012.0
-pkgrel=2
+pkgrel=3
pkgdesc="Enhanced multi-threaded syslogd with database support and more"
url="https://www.rsyslog.com/"
arch="all !s390x" # limited by czmq
@@ -49,6 +49,7 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/rsyslog/rsyslog/archive/v$pk
$pkgname.conf
musl-fix.patch
queue.patch
+ CVE-2022-24903.patch
"
# <subpackage>[:<module>...]
@@ -92,6 +93,8 @@ for _i in $_plugins; do
done
# secfixes:
+# 8.2012.0-r3:
+# - CVE-2022-24903
# 8.1908.0-r1:
# - CVE-2019-17040
# - CVE-2019-17041
@@ -194,4 +197,5 @@ bcd63c8df2ac63b80f3cb51ba7f544988df6cd875f4e81020e762dff30d7537f21b72c95a4b1c08b
451b861dc82d7a2810e6c9ff8f80b2c5149cc6b440baf5901149e7b6524a1179826787a924c84403c2e9d8fa7d4df2c909e7f0877ac0cd4e6faf2e37cba7c6c1 rsyslog.conf
15745c8cdb730ae548d038ca4c04f9f48ef55c6e04949a8e86df356877563c0fcb9660445e47d3f9530925092d6dd80b2b2fc3f64a114ee85103d137327524cb musl-fix.patch
ef2e000b1c42cb5beffb26393952c2a692791e78972ee4b6f187ca53e338122b2004cc5216381c042195f12cc58f37f186a04e12a65b5bdfdcdf76b73393efb7 queue.patch
+9b8ec516979cf344375c58320a44dce39ab92384b4782468f6063dac2c2b7f555888fdcaeff8520acfc27825962915241cfa8618ed65150156426706a6ad7d2a CVE-2022-24903.patch
"
diff --git a/main/rsyslog/CVE-2022-24903.patch b/main/rsyslog/CVE-2022-24903.patch
new file mode 100644
index 0000000000..47e0ea77d1
--- /dev/null
+++ b/main/rsyslog/CVE-2022-24903.patch
@@ -0,0 +1,57 @@
+Patch-Source: https://github.com/rsyslog/rsyslog/commit/89955b0bcb1ff105e1374aad7e0e993faa6a038f
+From 89955b0bcb1ff105e1374aad7e0e993faa6a038f Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Fri, 22 Apr 2022 09:49:46 +0200
+Subject: [PATCH] net bugfix: potential buffer overrun
+
+---
+ contrib/imhttp/imhttp.c | 4 +++-
+ plugins/imptcp/imptcp.c | 4 +++-
+ runtime/tcps_sess.c | 4 +++-
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/imhttp/imhttp.c b/contrib/imhttp/imhttp.c
+index f09260b586..95704af985 100644
+--- a/contrib/imhttp/imhttp.c
++++ b/contrib/imhttp/imhttp.c
+@@ -487,7 +487,9 @@ processOctetMsgLen(const instanceConf_t *const inst, struct conn_wrkr_s *connWrk
+ connWrkr->parseState.iOctetsRemain = connWrkr->parseState.iOctetsRemain * 10 + ch - '0';
+ }
+ // temporarily save this character into the message buffer
+- connWrkr->pMsg[connWrkr->iMsg++] = ch;
++ if(connWrkr->iMsg + 1 < s_iMaxLine) {
++ connWrkr->pMsg[connWrkr->iMsg++] = ch;
++ }
+ } else {
+ const char *remoteAddr = "";
+ if (connWrkr->propRemoteAddr) {
+diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c
+index 2df46a236c..c32dec5851 100644
+--- a/plugins/imptcp/imptcp.c
++++ b/plugins/imptcp/imptcp.c
+@@ -1107,7 +1107,9 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,
+ if(pThis->iOctetsRemain <= 200000000) {
+ pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ }
+- *(pThis->pMsg + pThis->iMsg++) = c;
++ if(pThis->iMsg < iMaxLine) {
++ *(pThis->pMsg + pThis->iMsg++) = c;
++ }
+ } else { /* done with the octet count, so this must be the SP terminator */
+ DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ prop.GetString(pThis->peerName, &propPeerName, &lenPeerName);
+diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c
+index 0efa2c23c4..c5442f7638 100644
+--- a/runtime/tcps_sess.c
++++ b/runtime/tcps_sess.c
+@@ -390,7 +390,9 @@ processDataRcvd(tcps_sess_t *pThis,
+ if(pThis->iOctetsRemain <= 200000000) {
+ pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ }
+- *(pThis->pMsg + pThis->iMsg++) = c;
++ if(pThis->iMsg < iMaxLine) {
++ *(pThis->pMsg + pThis->iMsg++) = c;
++ }
+ } else { /* done with the octet count, so this must be the SP terminator */
+ DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName);