From f8992ba4b3da73129742a2dd8fc869e4eab801df Mon Sep 17 00:00:00 2001 From: z30023150 Date: Mon, 23 May 2022 15:27:02 +0800 Subject: [PATCH] bugfix:fix CVE-2022-24903 (cherry picked from commit a23f2baf0521f100edbfeb61cd3bcbddddac1e56) --- bugfix-CVE-2022-24903.patch | 61 +++++++++++++++++++++++++++++++++++++ rsyslog.spec | 6 +++- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 bugfix-CVE-2022-24903.patch diff --git a/bugfix-CVE-2022-24903.patch b/bugfix-CVE-2022-24903.patch new file mode 100644 index 0000000..4f8287f --- /dev/null +++ b/bugfix-CVE-2022-24903.patch @@ -0,0 +1,61 @@ +From 66c63027b95dce0fcfe50fa8baf2366ac83b340d Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards +Date: Fri, 22 Apr 2022 09:49:46 +0200 +Subject: [PATCH] net bugfix: potential buffer overrun + +Conflict:NA +Reference:https://github.com/rsyslog/rsyslog/commit/89955b0bcb1ff105e1374aad7e0e993faa6a038f +--- + contrib/imhttp/imhttp.c | 4 +++- + plugins/imptcp/imptcp.c | 4 +++- + runtime/tcps_sess.c | 4 +++- + 3 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/contrib/imhttp/imhttp.c b/contrib/imhttp/imhttp.c +index f09260b..95704af 100644 +--- a/contrib/imhttp/imhttp.c ++++ b/contrib/imhttp/imhttp.c +@@ -487,7 +487,9 @@ processOctetMsgLen(const instanceConf_t *const inst, struct conn_wrkr_s *connWrk + connWrkr->parseState.iOctetsRemain = connWrkr->parseState.iOctetsRemain * 10 + ch - '0'; + } + // temporarily save this character into the message buffer +- connWrkr->pMsg[connWrkr->iMsg++] = ch; ++ if(connWrkr->iMsg + 1 < s_iMaxLine) { ++ connWrkr->pMsg[connWrkr->iMsg++] = ch; ++ } + } else { + const char *remoteAddr = ""; + if (connWrkr->propRemoteAddr) { +diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c +index cdd29d4..e47a7c9 100644 +--- a/plugins/imptcp/imptcp.c ++++ b/plugins/imptcp/imptcp.c +@@ -1107,7 +1107,9 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis, + if(pThis->iOctetsRemain <= 200000000) { + pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; + } +- *(pThis->pMsg + pThis->iMsg++) = c; ++ if(pThis->iMsg < iMaxLine) { ++ *(pThis->pMsg + pThis->iMsg++) = c; ++ } + } else { /* done with the octet count, so this must be the SP terminator */ + DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain); + prop.GetString(pThis->peerName, &propPeerName, &lenPeerName); +diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c +index b12d873..0831192 100644 +--- a/runtime/tcps_sess.c ++++ b/runtime/tcps_sess.c +@@ -389,7 +389,9 @@ processDataRcvd(tcps_sess_t *pThis, + if(pThis->iOctetsRemain <= 200000000) { + pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; + } +- *(pThis->pMsg + pThis->iMsg++) = c; ++ if(pThis->iMsg < iMaxLine) { ++ *(pThis->pMsg + pThis->iMsg++) = c; ++ } + } else { /* done with the octet count, so this must be the SP terminator */ + DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain); + prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName); +-- +2.27.0 + diff --git a/rsyslog.spec b/rsyslog.spec index 04d2298..3cf5ca9 100644 --- a/rsyslog.spec +++ b/rsyslog.spec @@ -7,7 +7,7 @@ Name: rsyslog Version: 8.2110.0 -Release: 8 +Release: 9 Summary: The rocket-fast system for log processing License: (GPLv3+ and ASL 2.0) URL: http://www.rsyslog.com/ @@ -30,6 +30,7 @@ Patch9003: rsyslog-8.37.0-initialize-variables-and-check-return-value.patch Patch9004: print-main-queue-info-to-journal-when-queue-full.patch Patch9005: print-main-queue-info-to-journal-when-receive-USR1-signal.patch %endif +Patch9006: bugfix-CVE-2022-24903.patch BuildRequires: gcc autoconf automake bison dos2unix flex pkgconfig python3-docutils libtool BuildRequires: libgcrypt-devel libuuid-devel zlib-devel krb5-devel libnet-devel gnutls-devel @@ -492,6 +493,9 @@ done %{_mandir}/man1/rscryutil.1.gz %changelog +* Mon May 23 2022 zhanghaolian - 8.2110.0-9 +- fix CVE-2022-24903 + * Fri Mar 25 2022 wuchaochao - 8.2110.0-8 - add systemd_lived macro -- Gitee