Patched HIGH CVE-2022-38725 for syslog-ng

[mbykhovtsev-ms]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./SPECS/LICENSES-AND-NOTICES/data/licenses.json, ./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md, ./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Patched high CVE-2022-38725 for syslog-ng. Patch found at syslog-ng/syslog-ng#4110

Change Log

• Patched high CVE-2022-38725 for syslog-ng

Does this affect the toolchain?

NO

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2022-38725

Test Methodology

• Fast Track PR check

[mbykhovtsev-ms]

/AzurePipelines run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[PawelWMS]

@mbykhovtsev-ms, just a heads-up: all PRs against fasttrack/2.0 should be rebased, since we finished a monthly update, which also updated fasttrack/2.0. Rebasing (or merging) the latest state of the branch will re-trigger the PR check and allow us to validate that the latest state of the repo still builds correctly with the changes from the PRs.

[Redent0r]

Wondering if I can do bbeb322?

Here's what happened:

• When make check is included, fast track build failed due to a ptest return code. The error message is "Unit tests are disabled". We can also see this error when buddy building over fasttrack/2.0 https://dev.azure.com/mariner-org/mariner/_build/results?buildId=456539&view=ms.vss-test-web.build-test-results-tab&runId=145823&resultId=100000&paneView=debug
• Looks like it comes from https://github.com/syslog-ng/syslog-ng/blob/syslog-ng-3.33.2/Makefile.am#L138 and they can be enabled
• I wasn't able to enable the flag despite trying 92ee41d and 01fd252
• So I try to check how Fedora does make check. I try to look at https://src.fedoraproject.org/rpms/syslog-ng/blob/epel9/f/syslog-ng.spec (3.35.1 theirs vs 3.33.2 ours) and I see there's no check section and it actually got removed (https://src.fedoraproject.org/rpms/syslog-ng/blob/epel9/f/syslog-ng.spec#_653)
• Additionally I noticed make check calls check target, which in turn calls check_target_guard. check_target_guard seems to only check if unit test flag is passed and print error if not. Doesn't start or run any tests it seems

Passing fasttrack build without make check: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=456990&view=results

[PawelWMS]

Wondering if I can do bbeb322?

Here's what happened:

• When make check is included, fast track build failed due to a ptest return code. The error message is "Unit tests are disabled". We can also see this error when buddy building over fasttrack/2.0 https://dev.azure.com/mariner-org/mariner/_build/results?buildId=456539&view=ms.vss-test-web.build-test-results-tab&runId=145823&resultId=100000&paneView=debug
• Looks like it comes from https://github.com/syslog-ng/syslog-ng/blob/syslog-ng-3.33.2/Makefile.am#L138 and they can be enabled
• I wasn't able to enable the flag despite trying 92ee41d and 01fd252
• So I try to check how Fedora does make check. I try to look at https://src.fedoraproject.org/rpms/syslog-ng/blob/epel9/f/syslog-ng.spec (3.35.1 theirs vs 3.33.2 ours) and I see there's no check section and it actually got removed (https://src.fedoraproject.org/rpms/syslog-ng/blob/epel9/f/syslog-ng.spec#_653)
• Additionally I noticed make check calls check target, which in turn calls check_target_guard. check_target_guard seems to only check if unit test flag is passed and print error if not. Doesn't start or run any tests it seems

Passing fasttrack build without make check: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=456990&view=results

I took a look at the configure file in the sources and found this:

 if test "$enable_tests" != "no"; then
  ENABLE_TESTING_TRUE=
  ENABLE_TESTING_FALSE='#'
else
  ENABLE_TESTING_TRUE='#'
  ENABLE_TESTING_FALSE=
fi

It seems, that enable_tests must be set to something else than no but on a different line it looks like this variable depends on with_criterion:

if test "$with_criterion" != "no"; then
   enable_tests=yes
else
  enable_tests=no
fi

I believe this is the Criterion project these lines are about. After a brief search I wasn't able to find a Fedora package building this project, so maybe that's why it's not enabled for them. Since we don't have it as well, we'd need to investigate further what it would take to light it up. For instance, it seems that Red Hat might have something.

With all of that considered, I think it is fine to move enabling tests for this package to a later date. However, let's keep the %check section, but add a somment above it summarizing the findings from this PR and also maybe add a link to this PR as well. In addition to that, please also create a P1 bug (with a similar summary and link) against Jon saying that syslog-ng tests are broken.

[0xba1a]

As Pawel mentioned, please create P1 bug and provide the link in this PR for reference

[Redent0r]

Created P1 bug and linked back to this PR. Also added back the make check to the %check section and commented it out with a todo comment also linking to this PR. Thanks!

[CBL-Mariner-Bot]

Auto cherry-pick results:

• main ✅ -> [AUTO-CHERRYPICK] Patched HIGH CVE-2022-38725 for syslog-ng - branch main #6842

Auto cherry-pick pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=458187&view=results