[oe] [meta-oe][PATCH] rsyslog: fix CVE-2017-12588
Randy MacLeod
randy.macleod at windriver.com
Fri Aug 18 16:07:10 UTC 2017
On 2017-08-18 12:03 PM, Randy MacLeod wrote:
> On 2017-08-17 06:51 AM, Qi.Chen at windriver.com wrote:
>> From: Chen Qi <Qi.Chen at windriver.com>
>>
>> Backport a patch to fix CVE-2017-12588.
>>
>> The zmq3 input and output modules in rsyslog before 8.28.0 interpreted
>> description fields as format strings, possibly allowing a format string
>> attack with unspecified impact.
>>
>> Reference: https://nvd.nist.gov/vuln/detail/CVE-2017-12588
>>
>> CVE: CVE-2017-12588
>>
>> Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
>> ---
>> .../rsyslog/rsyslog/CVE-2017-12588.patch | 40
>> ++++++++++++++++++++++
>> meta-oe/recipes-extended/rsyslog/rsyslog_8.22.0.bb | 1 +
>> 2 files changed, 41 insertions(+)
>> create mode 100644
>> meta-oe/recipes-extended/rsyslog/rsyslog/CVE-2017-12588.patch
>>
>> diff --git
>> a/meta-oe/recipes-extended/rsyslog/rsyslog/CVE-2017-12588.patch
>> b/meta-oe/recipes-extended/rsyslog/rsyslog/CVE-2017-12588.patch
>> new file mode 100644
>> index 0000000..73c3310
>> --- /dev/null
>> +++ b/meta-oe/recipes-extended/rsyslog/rsyslog/CVE-2017-12588.patch
>> @@ -0,0 +1,40 @@
>> +From 6bc4aa975a83abed43d734299ce76cd9e1a14aec Mon Sep 17 00:00:00 2001
>> +From: Thomas Deutschmann <whissi at whissi.de>
>> +Date: Wed, 17 May 2017 23:05:24 +0200
>> +Subject: [PATCH] imzmq3: Fix building with -Werror=format-security
>> +
>> +Reference: https://nvd.nist.gov/vuln/detail/CVE-2017-12588
>> +
>> +CVE: 2017-12588
>> +
>> +Upstream-Status: Backport
>> +Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
>> +---
>> + contrib/imzmq3/imzmq3.c | 4 ++--
>> + 1 file changed, 2 insertions(+), 2 deletions(-)
>> +
>> +diff --git a/contrib/imzmq3/imzmq3.c b/contrib/imzmq3/imzmq3.c
>> +index 9ca17871..d32dcbc2 100644
>> +--- a/contrib/imzmq3/imzmq3.c
>> ++++ b/contrib/imzmq3/imzmq3.c
>> +@@ -403,7 +403,7 @@ static rsRetVal createSocket(instanceConf_t*
>> info, void** sock) {
>> +
>> + /* Do the bind/connect... */
>> + if (info->action==ACTION_CONNECT) {
>> +- rv = zsocket_connect(*sock, info->description);
>> ++ rv = zsocket_connect(*sock, "%s", info->description);
>> + if (rv == -1) {
>> + errmsg.LogError(0,
>> + RS_RET_INVALID_PARAMS,
>> +@@ -413,7 +413,7 @@ static rsRetVal createSocket(instanceConf_t*
>> info, void** sock) {
>> + }
>> + DBGPRINTF("imzmq3: connect for %s
>> successful\n",info->description);
>> + } else {
>> +- rv = zsocket_bind(*sock, info->description);
>> ++ rv = zsocket_bind(*sock, "%s", info->description);
>> + if (rv == -1) {
>> + errmsg.LogError(0,
>> + RS_RET_INVALID_PARAMS,
>> +--
>> +2.13.0
>> +
>> diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog_8.22.0.bb
>> b/meta-oe/recipes-extended/rsyslog/rsyslog_8.22.0.bb
>> index d1d391b..6e3a75c 100644
>> --- a/meta-oe/recipes-extended/rsyslog/rsyslog_8.22.0.bb
>> +++ b/meta-oe/recipes-extended/rsyslog/rsyslog_8.22.0.bb
>> @@ -24,6 +24,7 @@ SRC_URI =
>> "http://www.rsyslog.com/download/files/download/rsyslog/${BPN}-${PV}.t
>> file://use-pkgconfig-to-check-libgcrypt.patch \
>> file://run-ptest \
>> file://rsyslog-fix-ptest-not-finish.patch \
>> + file://CVE-2017-12588.patch \
>> "
>> SRC_URI_append_libc-musl = " \
>>
>
>
> Better to just upgrade to 8.25. It was released in February so
> it should be well tested.
>
Oops, I mean 8.29, released 10 days ago:
https://github.com/rsyslog/rsyslog/releases
/me updates Wikipedia...
--
# Randy MacLeod. SMTS, Linux, Wind River
Direct: 613.963.1350 | 350 Terry Fox Drive, Suite 200, Ottawa, ON,
Canada, K2K 2W5
More information about the Openembedded-devel
mailing list