Change-Id: Ie24c96430e9d56fdf42ddfd6123944baa84fcc7f
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6724
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,148 @@ |
0 |
+From 0381a0de64a5a048c3d48b79055bd9848d0c7fc2 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: PascalWithopf <pwithopf@adiscon.com> |
|
2 |
+Date: Wed, 19 Apr 2017 13:06:30 +0200 |
|
3 |
+Subject: [PATCH] imptcp: fix Segmentation Fault when octet count is to high |
|
4 |
+ |
|
5 |
+--- |
|
6 |
+ plugins/imptcp/imptcp.c | 14 ++++++- |
|
7 |
+ tests/imptcp-msg-truncation-on-number.sh | 37 +++++++++++++++++++ |
|
8 |
+ tests/imptcp-msg-truncation-on-number2.sh | 45 +++++++++++++++++++++++ |
|
9 |
+ 3 files changed, 94 insertions(+), 2 deletions(-) |
|
10 |
+ create mode 100755 tests/imptcp-msg-truncation-on-number.sh |
|
11 |
+ create mode 100755 tests/imptcp-msg-truncation-on-number2.sh |
|
12 |
+ |
|
13 |
+diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c |
|
14 |
+index acf0dcd25..b9a4e2fdf 100644 |
|
15 |
+--- a/plugins/imptcp/imptcp.c |
|
16 |
+@@ -902,7 +902,16 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis, |
|
17 |
+ |
|
18 |
+ if(pThis->inputState == eInOctetCnt) { |
|
19 |
+ if(isdigit(c)) { |
|
20 |
+- pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; |
|
21 |
++ if(pThis->iOctetsRemain <= 200000000) { |
|
22 |
++ pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; |
|
23 |
++ } else { |
|
24 |
++ errmsg.LogError(0, NO_ERRCODE, "Framing Error in received TCP message: " |
|
25 |
++ "frame too large (at least %d%c), change to octet stuffing", |
|
26 |
++ pThis->iOctetsRemain, c); |
|
27 |
++ pThis->eFraming = TCP_FRAMING_OCTET_STUFFING; |
|
28 |
++ pThis->inputState = eInMsg; |
|
29 |
++ } |
|
30 |
++ *(pThis->pMsg + pThis->iMsg++) = c; |
|
31 |
+ } else { /* done with the octet count, so this must be the SP terminator */ |
|
32 |
+ DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain); |
|
33 |
+ if(c != ' ') { |
|
34 |
+@@ -911,9 +920,9 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis, |
|
35 |
+ } |
|
36 |
+ if(pThis->iOctetsRemain < 1) { |
|
37 |
+ /* TODO: handle the case where the octet count is 0! */ |
|
38 |
+- DBGPRINTF("Framing Error: invalid octet count\n"); |
|
39 |
+ errmsg.LogError(0, NO_ERRCODE, "Framing Error in received TCP message: " |
|
40 |
+ "invalid octet count %d.", pThis->iOctetsRemain); |
|
41 |
++ pThis->eFraming = TCP_FRAMING_OCTET_STUFFING; |
|
42 |
+ } else if(pThis->iOctetsRemain > iMaxLine) { |
|
43 |
+ /* while we can not do anything against it, we can at least log an indication |
|
44 |
+ * that something went wrong) -- rgerhards, 2008-03-14 |
|
45 |
+@@ -924,6 +933,7 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis, |
|
46 |
+ "max msg size is %d, truncating...", pThis->iOctetsRemain, iMaxLine); |
|
47 |
+ } |
|
48 |
+ pThis->inputState = eInMsg; |
|
49 |
++ pThis->iMsg = 0; |
|
50 |
+ } |
|
51 |
+ } else { |
|
52 |
+ assert(pThis->inputState == eInMsg); |
|
53 |
+diff --git a/tests/imptcp-msg-truncation-on-number.sh b/tests/imptcp-msg-truncation-on-number.sh |
|
54 |
+new file mode 100755 |
|
55 |
+index 000000000..e46486bdf |
|
56 |
+--- /dev/null |
|
57 |
+@@ -0,0 +1,37 @@ |
|
58 |
++#!/bin/bash |
|
59 |
++# addd 2017-03-01 by RGerhards, released under ASL 2.0 |
|
60 |
++ |
|
61 |
++. $srcdir/diag.sh init |
|
62 |
++. $srcdir/diag.sh generate-conf |
|
63 |
++. $srcdir/diag.sh add-conf ' |
|
64 |
++$MaxMessageSize 128 |
|
65 |
++global(processInternalMessages="on") |
|
66 |
++module(load="../plugins/imptcp/.libs/imptcp") |
|
67 |
++input(type="imptcp" port="13514") |
|
68 |
++ |
|
69 |
++action(type="omfile" file="rsyslog.out.log") |
|
70 |
++ |
|
71 |
++' |
|
72 |
++. $srcdir/diag.sh startup |
|
73 |
++. $srcdir/diag.sh tcpflood -m1 -M "\"<120> 2011-03-01T11:22:12Z host tag: this is a way too long message that has to be truncatedtest1 test2 test3 test4 test5 ab |
|
74 |
++9876543210 cdefghijklmn test8 test9 test10 test11 test12 test13 test14 test15 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk tag: testtestetstetstetstetstetsstetstetsytetestetste\"" |
|
75 |
++. $srcdir/diag.sh shutdown-when-empty |
|
76 |
++. $srcdir/diag.sh wait-shutdown |
|
77 |
++ |
|
78 |
++grep "Framing Error.*change to octet stuffing" rsyslog.out.log > /dev/null |
|
79 |
++if [ $? -ne 0 ]; then |
|
80 |
++ echo |
|
81 |
++ echo "FAIL: expected error message from imptcp truncation not found. rsyslog.out.log is:" |
|
82 |
++ cat rsyslog.out.log |
|
83 |
++ . $srcdir/diag.sh error-exit 1 |
|
84 |
++fi |
|
85 |
++ |
|
86 |
++grep " 9876543210 cdefghijklmn test8 test9 test10 test11 test12 test13 test14 test15 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk tag: testtestets" rsyslog.out.log > /dev/null |
|
87 |
++if [ $? -ne 0 ]; then |
|
88 |
++ echo |
|
89 |
++ echo "FAIL: expected error message from imptcp truncation not found. rsyslog.out.log is:" |
|
90 |
++ cat rsyslog.out.log |
|
91 |
++ . $srcdir/diag.sh error-exit 1 |
|
92 |
++fi |
|
93 |
++ |
|
94 |
++. $srcdir/diag.sh exit |
|
95 |
+diff --git a/tests/imptcp-msg-truncation-on-number2.sh b/tests/imptcp-msg-truncation-on-number2.sh |
|
96 |
+new file mode 100755 |
|
97 |
+index 000000000..15c5aab15 |
|
98 |
+--- /dev/null |
|
99 |
+@@ -0,0 +1,45 @@ |
|
100 |
++#!/bin/bash |
|
101 |
++# addd 2017-03-01 by RGerhards, released under ASL 2.0 |
|
102 |
++ |
|
103 |
++. $srcdir/diag.sh init |
|
104 |
++. $srcdir/diag.sh generate-conf |
|
105 |
++. $srcdir/diag.sh add-conf ' |
|
106 |
++$MaxMessageSize 128 |
|
107 |
++global(processInternalMessages="on") |
|
108 |
++module(load="../plugins/imptcp/.libs/imptcp") |
|
109 |
++input(type="imptcp" port="13514" ruleset="ruleset1") |
|
110 |
++ |
|
111 |
++template(name="templ1" type="string" string="%rawmsg%\n") |
|
112 |
++ruleset(name="ruleset1") { |
|
113 |
++ action(type="omfile" file="rsyslog.out.log" template="templ1") |
|
114 |
++} |
|
115 |
++ |
|
116 |
++' |
|
117 |
++. $srcdir/diag.sh startup |
|
118 |
++. $srcdir/diag.sh tcpflood -m2 -M "\"41 <120> 2011-03-01T11:22:12Z host msgnum:1\"" |
|
119 |
++. $srcdir/diag.sh tcpflood -m1 -M "\"214000000000 <120> 2011-03-01T11:22:12Z host msgnum:1\"" |
|
120 |
++. $srcdir/diag.sh tcpflood -m1 -M "\"41 <120> 2011-03-01T11:22:12Z host msgnum:1\"" |
|
121 |
++. $srcdir/diag.sh tcpflood -m1 -M "\"214000000000 <120> 2011-03-01T11:22:12Z host msgnum:1\"" |
|
122 |
++. $srcdir/diag.sh tcpflood -m1 -M "\"41 <120> 2011-03-01T11:22:12Z host msgnum:1\"" |
|
123 |
++. $srcdir/diag.sh tcpflood -m1 -M "\"2000000010 <120> 2011-03-01T11:22:12Z host msgnum:1\"" |
|
124 |
++. $srcdir/diag.sh tcpflood -m1 -M "\"4000000000 <120> 2011-03-01T11:22:12Z host msgnum:1\"" |
|
125 |
++. $srcdir/diag.sh tcpflood -m1 -M "\"0 <120> 2011-03-01T11:22:12Z host msgnum:1\"" |
|
126 |
++. $srcdir/diag.sh shutdown-when-empty |
|
127 |
++. $srcdir/diag.sh wait-shutdown |
|
128 |
++ |
|
129 |
++echo '<120> 2011-03-01T11:22:12Z host msgnum:1 |
|
130 |
++<120> 2011-03-01T11:22:12Z host msgnum:1 |
|
131 |
++214000000000 <120> 2011-03-01T11:22:12Z host msgnum:1 |
|
132 |
++<120> 2011-03-01T11:22:12Z host msgnum:1 |
|
133 |
++214000000000 <120> 2011-03-01T11:22:12Z host msgnum:1 |
|
134 |
++<120> 2011-03-01T11:22:12Z host msgnum:1 |
|
135 |
++2000000010 <120> 2011-03-01T11:22:12Z host msgnum:1 |
|
136 |
++4000000000 <120> 2011-03-01T11:22:12Z host msgnum:1 |
|
137 |
++<120> 2011-03-01T11:22:12Z host msgnum:1' | cmp rsyslog.out.log |
|
138 |
++if [ ! $? -eq 0 ]; then |
|
139 |
++ echo "invalid response generated, rsyslog.out.log is:" |
|
140 |
++ cat rsyslog.out.log |
|
141 |
++ . $srcdir/diag.sh error-exit 1 |
|
142 |
++fi; |
|
143 |
++ |
|
144 |
++. $srcdir/diag.sh exit |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: Rocket-fast system for log processing |
2 | 2 |
Name: rsyslog |
3 | 3 |
Version: 8.15.0 |
4 |
-Release: 8%{?dist} |
|
4 |
+Release: 9%{?dist} |
|
5 | 5 |
License: GPLv3+ and ASL 2.0 |
6 | 6 |
URL: http://www.rsyslog.com/ |
7 | 7 |
Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz |
... | ... |
@@ -10,6 +10,7 @@ Source1: rsyslog.service |
10 | 10 |
Source2: 50-rsyslog-journald.conf |
11 | 11 |
# Downloaded patch from https://github.com/rsyslog/rsyslog/pull/1565 |
12 | 12 |
Patch0: CVE-2017-12588.patch |
13 |
+Patch1: CVE-2018-16881.patch |
|
13 | 14 |
Group: System Environment/Base |
14 | 15 |
Vendor: VMware, Inc. |
15 | 16 |
Distribution: Photon |
... | ... |
@@ -34,6 +35,7 @@ It offers high-performance, great security features and a modular design. While |
34 | 34 |
%prep |
35 | 35 |
%setup -q |
36 | 36 |
%patch0 -p1 |
37 |
+%patch1 -p1 |
|
37 | 38 |
%build |
38 | 39 |
./configure \ |
39 | 40 |
--prefix=%{_prefix} \ |
... | ... |
@@ -75,6 +77,8 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck} |
75 | 75 |
%{_libdir}/systemd/system/rsyslog.service |
76 | 76 |
%{_sysconfdir}/systemd/journald.conf.d/* |
77 | 77 |
%changelog |
78 |
+* Thu Feb 14 2019 Keerthana K <keerthanak@vmware.com> 8.15.0-9 |
|
79 |
+- Fix for CVE-2018-16881 |
|
78 | 80 |
* Thu Dec 21 2017 Xiaolin Li <xiaolinl@vmware.com> 8.15.0-8 |
79 | 81 |
- Fix typos in change log. |
80 | 82 |
* Fri Dec 15 2017 Anish Swaminathan <anishs@vmware.com> 8.15.0-7 |