[oe-commits] [meta-openembedded] 27/74: rsyslog: fix CVE-2017-12588
git at git.openembedded.org
git at git.openembedded.org
Mon Aug 28 09:04:47 UTC 2017
This is an automated email from the git hooks/post-receive script.
martin_jansa pushed a commit to branch master
in repository meta-openembedded.
commit e41be4b46198a5ca30487fd021a52f5849d91f95
Author: Chen Qi <Qi.Chen at windriver.com>
AuthorDate: Thu Aug 17 18:51:31 2017 +0800
rsyslog: fix CVE-2017-12588
Backport a patch to fix CVE-2017-12588.
The zmq3 input and output modules in rsyslog before 8.28.0 interpreted
description fields as format strings, possibly allowing a format string
attack with unspecified impact.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2017-12588
CVE: CVE-2017-12588
Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa at gmail.com>
---
.../rsyslog/rsyslog/CVE-2017-12588.patch | 40 ++++++++++++++++++++++
meta-oe/recipes-extended/rsyslog/rsyslog_8.22.0.bb | 1 +
2 files changed, 41 insertions(+)
diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog/CVE-2017-12588.patch b/meta-oe/recipes-extended/rsyslog/rsyslog/CVE-2017-12588.patch
new file mode 100644
index 0000000..73c3310
--- /dev/null
+++ b/meta-oe/recipes-extended/rsyslog/rsyslog/CVE-2017-12588.patch
@@ -0,0 +1,40 @@
+From 6bc4aa975a83abed43d734299ce76cd9e1a14aec Mon Sep 17 00:00:00 2001
+From: Thomas Deutschmann <whissi at whissi.de>
+Date: Wed, 17 May 2017 23:05:24 +0200
+Subject: [PATCH] imzmq3: Fix building with -Werror=format-security
+
+Reference: https://nvd.nist.gov/vuln/detail/CVE-2017-12588
+
+CVE: 2017-12588
+
+Upstream-Status: Backport
+Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
+---
+ contrib/imzmq3/imzmq3.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/contrib/imzmq3/imzmq3.c b/contrib/imzmq3/imzmq3.c
+index 9ca17871..d32dcbc2 100644
+--- a/contrib/imzmq3/imzmq3.c
++++ b/contrib/imzmq3/imzmq3.c
+@@ -403,7 +403,7 @@ static rsRetVal createSocket(instanceConf_t* info, void** sock) {
+
+ /* Do the bind/connect... */
+ if (info->action==ACTION_CONNECT) {
+- rv = zsocket_connect(*sock, info->description);
++ rv = zsocket_connect(*sock, "%s", info->description);
+ if (rv == -1) {
+ errmsg.LogError(0,
+ RS_RET_INVALID_PARAMS,
+@@ -413,7 +413,7 @@ static rsRetVal createSocket(instanceConf_t* info, void** sock) {
+ }
+ DBGPRINTF("imzmq3: connect for %s successful\n",info->description);
+ } else {
+- rv = zsocket_bind(*sock, info->description);
++ rv = zsocket_bind(*sock, "%s", info->description);
+ if (rv == -1) {
+ errmsg.LogError(0,
+ RS_RET_INVALID_PARAMS,
+--
+2.13.0
+
diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog_8.22.0.bb b/meta-oe/recipes-extended/rsyslog/rsyslog_8.22.0.bb
index d1d391b..6e3a75c 100644
--- a/meta-oe/recipes-extended/rsyslog/rsyslog_8.22.0.bb
+++ b/meta-oe/recipes-extended/rsyslog/rsyslog_8.22.0.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://www.rsyslog.com/download/files/download/rsyslog/${BPN}-${PV}.t
file://use-pkgconfig-to-check-libgcrypt.patch \
file://run-ptest \
file://rsyslog-fix-ptest-not-finish.patch \
+ file://CVE-2017-12588.patch \
"
SRC_URI_append_libc-musl = " \
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list