forked from openembedded/meta-openembedded
-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
syslog-ng: CVE-2022-38725 An integer overflow in the RFC3164 parser i
Source: https://github.com/syslog-ng/syslog-ng/ MR: 124728 Type: Security Fix Disposition: Backport from syslog-ng/syslog-ng@b5a060f & syslog-ng/syslog-ng@4b8dc56 & syslog-ng/syslog-ng@73b5c30 & syslog-ng/syslog-ng@09f489c & syslog-ng/syslog-ng@8c6e2c1 & syslog-ng/syslog-ng@56f881c ChangeID: 7ad64c3c5a58fe3bce0bdf4bd7779075ddb5fe34 Description: Fix for CVE-2022-38725 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
- Loading branch information
1 parent
301db79
commit 74689a2
Showing
7 changed files
with
354 additions
and
0 deletions.
There are no files selected for viewing
59 changes: 59 additions & 0 deletions
59
meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-01.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| From b5a060f2ebb8d794f508436a12e4d4163f94b1b8 Mon Sep 17 00:00:00 2001 | ||
| From: László Várady <laszlo.varady@protonmail.com> | ||
| Date: Sat, 20 Aug 2022 12:26:05 +0200 | ||
| Subject: [PATCH] syslogformat: fix out-of-bounds reading of data buffer | ||
|
|
||
| Signed-off-by: László Várady <laszlo.varady@protonmail.com> | ||
|
|
||
| Upstream-Status: Backport [https://github.com/syslog-ng/syslog-ng/commit/b5a060f2ebb8d794f508436a12e4d4163f94b1b8] | ||
| CVE: CVE-2022-38725 | ||
| Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| --- | ||
| modules/syslogformat/syslog-format.c | 10 +++++++--- | ||
| 1 file changed, 7 insertions(+), 3 deletions(-) | ||
|
|
||
| diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c | ||
| index df1f021..9fd4d56 100644 | ||
| --- a/modules/syslogformat/syslog-format.c | ||
| +++ b/modules/syslogformat/syslog-format.c | ||
| @@ -468,6 +468,9 @@ log_msg_parse_date_unnormalized(LogMessage *self, const guchar **data, gint *len | ||
|
|
||
| cached_g_current_time(&now); | ||
|
|
||
| + if (!left) | ||
| + goto error; | ||
| + | ||
| if ((parse_flags & LP_SYSLOG_PROTOCOL) == 0) | ||
| { | ||
| /* Cisco timestamp extensions, the first '*' indicates that the clock is | ||
| @@ -835,7 +838,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF | ||
| open_sd++; | ||
| do | ||
| { | ||
| - if (!isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') | ||
| + if (!left || !isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') | ||
| goto error; | ||
| /* read sd_id */ | ||
| pos = 0; | ||
| @@ -869,7 +872,8 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF | ||
| strcpy(sd_value_name, logmsg_sd_prefix); | ||
| /* this strcat is safe, as sd_id_name is at most 32 chars */ | ||
| strncpy(sd_value_name + logmsg_sd_prefix_len, sd_id_name, sizeof(sd_value_name) - logmsg_sd_prefix_len); | ||
| - if (*src == ']') | ||
| + | ||
| + if (left && *src == ']') | ||
| { | ||
| log_msg_set_value_by_name(self, sd_value_name, "", 0); | ||
| } | ||
| @@ -886,7 +890,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF | ||
| else | ||
| goto error; | ||
|
|
||
| - if (!isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') | ||
| + if (!left || !isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') | ||
| goto error; | ||
|
|
||
| /* read sd-param */ | ||
| -- | ||
| 2.18.2 | ||
|
|
30 changes: 30 additions & 0 deletions
30
meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-02.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| From 4b8dc56ca8eaeac4c8751a305eb7eeefab8dc89d Mon Sep 17 00:00:00 2001 | ||
| From: László Várady <laszlo.varady@protonmail.com> | ||
| Date: Sun, 21 Aug 2022 18:44:28 +0200 | ||
| Subject: [PATCH] syslogformat: fix reading cisco sequence id out of bounds | ||
|
|
||
| Signed-off-by: László Várady <laszlo.varady@protonmail.com> | ||
|
|
||
| Upstream-Status: Backport [https://github.com/syslog-ng/syslog-ng/commit/4b8dc56ca8eaeac4c8751a305eb7eeefab8dc89d] | ||
| CVE: CVE-2022-38725 | ||
| Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| --- | ||
| modules/syslogformat/syslog-format.c | 2 +- | ||
| 1 file changed, 1 insertion(+), 1 deletion(-) | ||
|
|
||
| diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c | ||
| index 9fd4d56..b1b7f15 100644 | ||
| --- a/modules/syslogformat/syslog-format.c | ||
| +++ b/modules/syslogformat/syslog-format.c | ||
| @@ -198,7 +198,7 @@ log_msg_parse_seq(LogMessage *self, const guchar **data, gint *length) | ||
|
|
||
| /* if the next char is not space, then we may try to read a date */ | ||
|
|
||
| - if (*src != ' ') | ||
| + if (!left || *src != ' ') | ||
| return FALSE; | ||
|
|
||
| log_msg_set_value(self, handles.cisco_seqid, (gchar *) *data, *length - left - 1); | ||
| -- | ||
| 2.18.2 | ||
|
|
31 changes: 31 additions & 0 deletions
31
meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-03.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| From 73b5c300b8fde5e7a4824baa83a04931279abb37 Mon Sep 17 00:00:00 2001 | ||
| From: László Várady <laszlo.varady@protonmail.com> | ||
| Date: Sat, 20 Aug 2022 12:42:38 +0200 | ||
| Subject: [PATCH] timeutils: fix iterating out of the range of timestamp buffer | ||
|
|
||
| Signed-off-by: László Várady <laszlo.varady@protonmail.com> | ||
| Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> | ||
|
|
||
| Upstream-Status: Backport [https://github.com/syslog-ng/syslog-ng/commit/73b5c300b8fde5e7a4824baa83a04931279abb37] | ||
| CVE: CVE-2022-38725 | ||
| Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| --- | ||
| modules/syslogformat/syslog-format.c | 2 +- | ||
| 1 file changed, 1 insertion(+), 1 deletion(-) | ||
|
|
||
| diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c | ||
| index b1b7f15..a6c8cee 100644 | ||
| --- a/modules/syslogformat/syslog-format.c | ||
| +++ b/modules/syslogformat/syslog-format.c | ||
| @@ -258,7 +258,7 @@ __parse_usec(const guchar **data, gint *length) | ||
| src++; | ||
| (*length)--; | ||
| } | ||
| - while (isdigit(*src)) | ||
| + while (*length > 0 && isdigit(*src)) | ||
| { | ||
| src++; | ||
| (*length)--; | ||
| -- | ||
| 2.18.2 | ||
|
|
150 changes: 150 additions & 0 deletions
150
meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-04.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,150 @@ | ||
| From 09f489c89c826293ff8cbd282cfc866ab56054c4 Mon Sep 17 00:00:00 2001 | ||
| From: László Várady <laszlo.varady@protonmail.com> | ||
| Date: Sat, 20 Aug 2022 14:29:43 +0200 | ||
| Subject: [PATCH] timeutils: name repeating constant | ||
|
|
||
| Signed-off-by: László Várady <laszlo.varady@protonmail.com> | ||
|
|
||
| Upstream-Status: Backport [https://github.com/syslog-ng/syslog-ng/commit/09f489c89c826293ff8cbd282cfc866ab56054c4] | ||
| CVE: CVE-2022-38725 | ||
| Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| --- | ||
| lib/str-format.c | 54 ++++++++++++++++++++++++++---------------------- | ||
| 1 file changed, 29 insertions(+), 25 deletions(-) | ||
|
|
||
| diff --git a/lib/str-format.c b/lib/str-format.c | ||
| index efab984..194a635 100644 | ||
| --- a/lib/str-format.c | ||
| +++ b/lib/str-format.c | ||
| @@ -366,41 +366,43 @@ scan_day_abbrev(const gchar **buf, gint *left, gint *wday) | ||
| { | ||
| *wday = -1; | ||
|
|
||
| - if (*left < 3) | ||
| + const gsize abbrev_length = 3; | ||
| + | ||
| + if (*left < abbrev_length) | ||
| return FALSE; | ||
|
|
||
| switch (**buf) | ||
| { | ||
| case 'S': | ||
| - if (strncasecmp(*buf, "Sun", 3) == 0) | ||
| + if (strncasecmp(*buf, "Sun", abbrev_length) == 0) | ||
| *wday = 0; | ||
| - else if (strncasecmp(*buf, "Sat", 3) == 0) | ||
| + else if (strncasecmp(*buf, "Sat", abbrev_length) == 0) | ||
| *wday = 6; | ||
| break; | ||
| case 'M': | ||
| - if (strncasecmp(*buf, "Mon", 3) == 0) | ||
| + if (strncasecmp(*buf, "Mon", abbrev_length) == 0) | ||
| *wday = 1; | ||
| break; | ||
| case 'T': | ||
| - if (strncasecmp(*buf, "Tue", 3) == 0) | ||
| + if (strncasecmp(*buf, "Tue", abbrev_length) == 0) | ||
| *wday = 2; | ||
| - else if (strncasecmp(*buf, "Thu", 3) == 0) | ||
| + else if (strncasecmp(*buf, "Thu", abbrev_length) == 0) | ||
| *wday = 4; | ||
| break; | ||
| case 'W': | ||
| - if (strncasecmp(*buf, "Wed", 3) == 0) | ||
| + if (strncasecmp(*buf, "Wed", abbrev_length) == 0) | ||
| *wday = 3; | ||
| break; | ||
| case 'F': | ||
| - if (strncasecmp(*buf, "Fri", 3) == 0) | ||
| + if (strncasecmp(*buf, "Fri", abbrev_length) == 0) | ||
| *wday = 5; | ||
| break; | ||
| default: | ||
| return FALSE; | ||
| } | ||
|
|
||
| - (*buf) += 3; | ||
| - (*left) -= 3; | ||
| + (*buf) += abbrev_length; | ||
| + (*left) -= abbrev_length; | ||
| return TRUE; | ||
| } | ||
|
|
||
| @@ -409,57 +411,59 @@ scan_month_abbrev(const gchar **buf, gint *left, gint *mon) | ||
| { | ||
| *mon = -1; | ||
|
|
||
| - if (*left < 3) | ||
| + const gsize abbrev_length = 3; | ||
| + | ||
| + if (*left < abbrev_length) | ||
| return FALSE; | ||
|
|
||
| switch (**buf) | ||
| { | ||
| case 'J': | ||
| - if (strncasecmp(*buf, "Jan", 3) == 0) | ||
| + if (strncasecmp(*buf, "Jan", abbrev_length) == 0) | ||
| *mon = 0; | ||
| - else if (strncasecmp(*buf, "Jun", 3) == 0) | ||
| + else if (strncasecmp(*buf, "Jun", abbrev_length) == 0) | ||
| *mon = 5; | ||
| - else if (strncasecmp(*buf, "Jul", 3) == 0) | ||
| + else if (strncasecmp(*buf, "Jul", abbrev_length) == 0) | ||
| *mon = 6; | ||
| break; | ||
| case 'F': | ||
| - if (strncasecmp(*buf, "Feb", 3) == 0) | ||
| + if (strncasecmp(*buf, "Feb", abbrev_length) == 0) | ||
| *mon = 1; | ||
| break; | ||
| case 'M': | ||
| - if (strncasecmp(*buf, "Mar", 3) == 0) | ||
| + if (strncasecmp(*buf, "Mar", abbrev_length) == 0) | ||
| *mon = 2; | ||
| - else if (strncasecmp(*buf, "May", 3) == 0) | ||
| + else if (strncasecmp(*buf, "May", abbrev_length) == 0) | ||
| *mon = 4; | ||
| break; | ||
| case 'A': | ||
| - if (strncasecmp(*buf, "Apr", 3) == 0) | ||
| + if (strncasecmp(*buf, "Apr", abbrev_length) == 0) | ||
| *mon = 3; | ||
| - else if (strncasecmp(*buf, "Aug", 3) == 0) | ||
| + else if (strncasecmp(*buf, "Aug", abbrev_length) == 0) | ||
| *mon = 7; | ||
| break; | ||
| case 'S': | ||
| - if (strncasecmp(*buf, "Sep", 3) == 0) | ||
| + if (strncasecmp(*buf, "Sep", abbrev_length) == 0) | ||
| *mon = 8; | ||
| break; | ||
| case 'O': | ||
| - if (strncasecmp(*buf, "Oct", 3) == 0) | ||
| + if (strncasecmp(*buf, "Oct", abbrev_length) == 0) | ||
| *mon = 9; | ||
| break; | ||
| case 'N': | ||
| - if (strncasecmp(*buf, "Nov", 3) == 0) | ||
| + if (strncasecmp(*buf, "Nov", abbrev_length) == 0) | ||
| *mon = 10; | ||
| break; | ||
| case 'D': | ||
| - if (strncasecmp(*buf, "Dec", 3) == 0) | ||
| + if (strncasecmp(*buf, "Dec", abbrev_length) == 0) | ||
| *mon = 11; | ||
| break; | ||
| default: | ||
| return FALSE; | ||
| } | ||
|
|
||
| - (*buf) += 3; | ||
| - (*left) -= 3; | ||
| + (*buf) += abbrev_length; | ||
| + (*left) -= abbrev_length; | ||
| return TRUE; | ||
| } | ||
|
|
||
| -- | ||
| 2.18.2 | ||
|
|
47 changes: 47 additions & 0 deletions
47
meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-05.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| From 8c6e2c1c41b0fcc5fbd464c35f4dac7102235396 Mon Sep 17 00:00:00 2001 | ||
| From: László Várady <laszlo.varady@protonmail.com> | ||
| Date: Sat, 20 Aug 2022 14:30:22 +0200 | ||
| Subject: [PATCH] timeutils: fix invalid calculation of ISO timestamp length | ||
|
|
||
| Signed-off-by: László Várady <laszlo.varady@protonmail.com> | ||
|
|
||
| Upstream-Status: Backport [https://github.com/syslog-ng/syslog-ng/commit/8c6e2c1c41b0fcc5fbd464c35f4dac7102235396] | ||
| CVE: CVE-2022-38725 | ||
| Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| --- | ||
| modules/syslogformat/syslog-format.c | 6 ++++-- | ||
| 1 file changed, 4 insertions(+), 2 deletions(-) | ||
|
|
||
| diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c | ||
| index a6c8cee..8309a84 100644 | ||
| --- a/modules/syslogformat/syslog-format.c | ||
| +++ b/modules/syslogformat/syslog-format.c | ||
| @@ -211,6 +211,8 @@ log_msg_parse_seq(LogMessage *self, const guchar **data, gint *length) | ||
| static guint32 | ||
| __parse_iso_timezone(const guchar **data, gint *length) | ||
| { | ||
| + g_assert(*length >= 6); | ||
| + | ||
| gint hours, mins; | ||
| const guchar *src = *data; | ||
| guint32 tz = 0; | ||
| @@ -272,14 +274,14 @@ __parse_usec(const guchar **data, gint *length) | ||
| static gboolean | ||
| __has_iso_timezone(const guchar *src, gint length) | ||
| { | ||
| - return (length >= 5) && | ||
| + return (length >= 6) && | ||
| (*src == '+' || *src == '-') && | ||
| isdigit(*(src+1)) && | ||
| isdigit(*(src+2)) && | ||
| *(src+3) == ':' && | ||
| isdigit(*(src+4)) && | ||
| isdigit(*(src+5)) && | ||
| - !isdigit(*(src+6)); | ||
| + (length < 7 || !isdigit(*(src+6))); | ||
| } | ||
|
|
||
| static gboolean | ||
| -- | ||
| 2.18.2 | ||
|
|
30 changes: 30 additions & 0 deletions
30
meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-06.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| From 56f881c5eaa3d8c02c96607c4b9e4eaf959a044d Mon Sep 17 00:00:00 2001 | ||
| From: László Várady <laszlo.varady@protonmail.com> | ||
| Date: Sat, 20 Aug 2022 14:30:51 +0200 | ||
| Subject: [PATCH] timeutils: fix out-of-bounds reading of data buffer | ||
|
|
||
| Signed-off-by: László Várady <laszlo.varady@protonmail.com> | ||
|
|
||
| Upstream-Status: Backport [https://github.com/syslog-ng/syslog-ng/commit/56f881c5eaa3d8c02c96607c4b9e4eaf959a044d] | ||
| CVE: CVE-2022-38725 | ||
| Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| --- | ||
| modules/syslogformat/syslog-format.c | 2 +- | ||
| 1 file changed, 1 insertion(+), 1 deletion(-) | ||
|
|
||
| diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c | ||
| index 8309a84..c562014 100644 | ||
| --- a/modules/syslogformat/syslog-format.c | ||
| +++ b/modules/syslogformat/syslog-format.c | ||
| @@ -378,7 +378,7 @@ __parse_bsd_timestamp(const guchar **data, gint *length, const GTimeVal *now, st | ||
| if (!scan_pix_timestamp((const gchar **) &src, &left, tm)) | ||
| return FALSE; | ||
|
|
||
| - if (*src == ':') | ||
| + if (left && *src == ':') | ||
| { | ||
| src++; | ||
| left--; | ||
| -- | ||
| 2.18.2 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters