Browse code
Fixing CVE-2017-12588 in rsyslog
Change-Id: I97631870e80eabba906ab5d3c4c26d9a7f939098
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/3534
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
DheerajSShetty authored on 2017/08/16 06:29:15Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,62 @@ |
| 0 |
+From 6bc4aa975a83abed43d734299ce76cd9e1a14aec Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Thomas Deutschmann <whissi@whissi.de> |
|
| 2 |
+Date: Wed, 17 May 2017 23:05:24 +0200 |
|
| 3 |
+Subject: [PATCH 1/2] imzmq3: Fix building with -Werror=format-security |
|
| 4 |
+ |
|
| 5 |
+--- |
|
| 6 |
+ contrib/imzmq3/imzmq3.c | 4 ++-- |
|
| 7 |
+ 1 file changed, 2 insertions(+), 2 deletions(-) |
|
| 8 |
+ |
|
| 9 |
+diff --git a/contrib/imzmq3/imzmq3.c b/contrib/imzmq3/imzmq3.c |
|
| 10 |
+index 9ca178710..d32dcbc26 100644 |
|
| 11 |
+--- a/contrib/imzmq3/imzmq3.c |
|
| 12 |
+@@ -403,7 +403,7 @@ static rsRetVal createSocket(instanceConf_t* info, void** sock) {
|
|
| 13 |
+ |
|
| 14 |
+ /* Do the bind/connect... */ |
|
| 15 |
+ if (info->action==ACTION_CONNECT) {
|
|
| 16 |
+- rv = zsocket_connect(*sock, info->description); |
|
| 17 |
++ rv = zsocket_connect(*sock, "%s", info->description); |
|
| 18 |
+ if (rv == -1) {
|
|
| 19 |
+ errmsg.LogError(0, |
|
| 20 |
+ RS_RET_INVALID_PARAMS, |
|
| 21 |
+@@ -413,7 +413,7 @@ static rsRetVal createSocket(instanceConf_t* info, void** sock) {
|
|
| 22 |
+ } |
|
| 23 |
+ DBGPRINTF("imzmq3: connect for %s successful\n",info->description);
|
|
| 24 |
+ } else {
|
|
| 25 |
+- rv = zsocket_bind(*sock, info->description); |
|
| 26 |
++ rv = zsocket_bind(*sock, "%s", info->description); |
|
| 27 |
+ if (rv == -1) {
|
|
| 28 |
+ errmsg.LogError(0, |
|
| 29 |
+ RS_RET_INVALID_PARAMS, |
|
| 30 |
+ |
|
| 31 |
+From 3f8a235d17d62e93f9492151c81001c7407f32f9 Mon Sep 17 00:00:00 2001 |
|
| 32 |
+From: Thomas Deutschmann <whissi@whissi.de> |
|
| 33 |
+Date: Wed, 17 May 2017 23:07:40 +0200 |
|
| 34 |
+Subject: [PATCH 2/2] omzmq3: Fix building with -Werror=format-security |
|
| 35 |
+ |
|
| 36 |
+--- |
|
| 37 |
+ contrib/omzmq3/omzmq3.c | 4 ++-- |
|
| 38 |
+ 1 file changed, 2 insertions(+), 2 deletions(-) |
|
| 39 |
+ |
|
| 40 |
+diff --git a/contrib/omzmq3/omzmq3.c b/contrib/omzmq3/omzmq3.c |
|
| 41 |
+index 778e151e0..ceb461c6d 100644 |
|
| 42 |
+--- a/contrib/omzmq3/omzmq3.c |
|
| 43 |
+@@ -242,14 +242,14 @@ static rsRetVal initZMQ(instanceData* pData) {
|
|
| 44 |
+ if (pData->action == ACTION_BIND) {
|
|
| 45 |
+ /* bind asserts, so no need to test return val here |
|
| 46 |
+ which isn't the greatest api -- oh well */ |
|
| 47 |
+- if(-1 == zsocket_bind(pData->socket, (char*)pData->description)) {
|
|
| 48 |
++ if(-1 == zsocket_bind(pData->socket, "%s", (char*)pData->description)) {
|
|
| 49 |
+ errmsg.LogError(0, RS_RET_NO_ERRCODE, "omzmq3: bind failed for %s: %s", |
|
| 50 |
+ pData->description, zmq_strerror(errno)); |
|
| 51 |
+ ABORT_FINALIZE(RS_RET_NO_ERRCODE); |
|
| 52 |
+ } |
|
| 53 |
+ DBGPRINTF("omzmq3: bind to %s successful\n",pData->description);
|
|
| 54 |
+ } else {
|
|
| 55 |
+- if(-1 == zsocket_connect(pData->socket, (char*)pData->description)) {
|
|
| 56 |
++ if(-1 == zsocket_connect(pData->socket, "%s", (char*)pData->description)) {
|
|
| 57 |
+ errmsg.LogError(0, RS_RET_NO_ERRCODE, "omzmq3: connect failed for %s: %s", |
|
| 58 |
+ pData->description, zmq_strerror(errno)); |
|
| 59 |
+ ABORT_FINALIZE(RS_RET_NO_ERRCODE); |
| ... | ... |
@@ -1,13 +1,15 @@ |
| 1 | 1 |
Summary: Rocket-fast system for log processing |
| 2 | 2 |
Name: rsyslog |
| 3 | 3 |
Version: 8.15.0 |
| 4 |
-Release: 5%{?dist}
|
|
| 4 |
+Release: 6%{?dist}
|
|
| 5 | 5 |
License: GPLv3+ and ASL 2.0 |
| 6 | 6 |
URL: http://www.rsyslog.com/ |
| 7 | 7 |
Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
|
| 8 | 8 |
%define sha1 rsyslog=e1d5ff63c96bce9945dc65581c8e195950256d3c |
| 9 | 9 |
Source1: rsyslog.service |
| 10 | 10 |
Source2: 50-rsyslog-journald.conf |
| 11 |
+# Downloaded patch from https://github.com/rsyslog/rsyslog/pull/1565 |
|
| 12 |
+Patch0: CVE-2017-12588.patch |
|
| 11 | 13 |
Group: System Environment/Base |
| 12 | 14 |
Vendor: VMware, Inc. |
| 13 | 15 |
Distribution: Photon |
| ... | ... |
@@ -31,6 +33,7 @@ RSYSLOG is the rocket-fast system for log processing. |
| 31 | 31 |
It offers high-performance, great security features and a modular design. While it started as a regular syslogd, rsyslog has evolved into a kind of swiss army knife of logging, being able to accept inputs from a wide variety of sources, transform them, and output to the results to diverse destinations. |
| 32 | 32 |
%prep |
| 33 | 33 |
%setup -q |
| 34 |
+%patch0 -p1 |
|
| 34 | 35 |
%build |
| 35 | 36 |
./configure \ |
| 36 | 37 |
--prefix=%{_prefix} \
|
| ... | ... |
@@ -72,6 +75,8 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}
|
| 72 | 72 |
%{_libdir}/systemd/system/rsyslog.service
|
| 73 | 73 |
%{_sysconfdir}/systemd/journald.conf.d/*
|
| 74 | 74 |
%changelog |
| 75 |
+* Tue Aug 15 2017 Dheeraj Shetty <dheerajs@vmware.com> 8.15.0-6 |
|
| 76 |
+- Fixed CVE-2017-12588 |
|
| 75 | 77 |
* Thu May 26 2016 Divya Thaluru <dthaluru@vmware.com> 8.15.0-5 |
| 76 | 78 |
- Fixed logic to restart the active services after upgrade |
| 77 | 79 |
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 8.15.0-4 |