new file mode 100644

@@ -0,0 +1,73 @@

+From 2cfe657672636aa5d7d2a14cfcb0a6ab9d1f00cf Mon Sep 17 00:00:00 2001

+From: Rainer Gerhards <rgerhards@adiscon.com>

+Date: Tue, 20 Mar 2018 12:30:12 +0100

+Subject: [PATCH] unify error message generation

+

+---

+ src/tcp.c | 38 +++++++++++++++++++++++++++++++++-----

+ 1 file changed, 33 insertions(+), 5 deletions(-)

+

+diff --git a/src/tcp.c b/src/tcp.c

+index a587627..d2d48f5 100644

+--- a/src/tcp.c

+@@ -1127,9 +1127,34 @@ done:

+ 	return r;

+ }

+ 

++/* helper to consistently add names to error message buffer */

++static int

++relpTcpAddToCertNamesBuffer(relpTcp_t *const pThis,

++	char *const buf,

++	const size_t buflen,

++	int *p_currIdx,

++	const char *const certName)

++{

++	int r = 0;

++	assert(buf != NULL);

++	assert(p_currIdx != NULL);

++	const int currIdx = *p_currIdx;

++	const int n = snprintf(buf + currIdx, buflen - currIdx,

++		"DNSname: %s; ", certName);

++	if(n < 0 || n >= (int) (buflen - currIdx)) {

++		callOnAuthErr(pThis, "", "certificate validation failed, names "

++			"inside certifcate are way to long (> 32KiB)",

++			RELP_RET_AUTH_CERT_INVL);

++		r = GNUTLS_E_CERTIFICATE_ERROR;

++	} else {

++		*p_currIdx += n;

++	}

++	return r;

++}

++

+ /* Check the peer's ID in name auth mode. */

+ static int

+-relpTcpChkPeerName(relpTcp_t *pThis, gnutls_x509_crt cert)

++relpTcpChkPeerName(relpTcp_t *const pThis, gnutls_x509_crt_t cert)

+ {

+ 	int r = 0;

+ 	int ret;

+@@ -1213,8 +1239,9 @@ relpTcpChkPeerName(relpTcp_t *pThis, gnutls_x509_crt_t cert)

+ 			break;

+ 		else if(gnuRet == GNUTLS_SAN_DNSNAME) {

+ 			pThis->pEngine->dbgprint("librelp: subject alt dnsName: '%s'\n", szAltName);

+-			iAllNames += snprintf(allNames+iAllNames, sizeof(allNames)-iAllNames,

+-					      "DNSname: %s; ", szAltName);

++			r = relpTcpAddToCertNamesBuffer(pThis, allNames, sizeof(allNames),

++				&iAllNames, szAltName);

++			if(r != 0) goto done;

+ 			relpTcpChkOnePeerName(pThis, szAltName, &bFoundPositiveMatch);

+ 			/* do NOT break, because there may be multiple dNSName's! */

+ 		}

+@@ -1225,8 +1252,9 @@ relpTcpChkPeerName(relpTcp_t *pThis, gnutls_x509_crt_t cert)

+ 		/* if we did not succeed so far, we try the CN part of the DN... */

+ 		if(relpTcpGetCN(pThis, cert, cnBuf, sizeof(cnBuf)) == 0) {

+ 			pThis->pEngine->dbgprint("librelp: relpTcp now checking auth for CN '%s'\n", cnBuf);

+-			iAllNames += snprintf(allNames+iAllNames, sizeof(allNames)-iAllNames,

+-					      "CN: %s; ", cnBuf);

++			r = relpTcpAddToCertNamesBuffer(pThis, allNames, sizeof(allNames),

++				&iAllNames, cnBuf);

++			if(r != 0) goto done;

+ 			relpTcpChkOnePeerName(pThis, cnBuf, &bFoundPositiveMatch);

+ 		}

+ 	}

@@ -1,26 +1,27 @@

-Summary:	RELP Library

-Name:		librelp

-Version:	1.2.9

-Release:	2%{?dist}

-License:	GPLv3+

-URL:		http://www.librelp.com

-Source0:	http://download.rsyslog.com/librelp/%{name}-%{version}.tar.gz

+Summary:        RELP Library

+Name:           librelp

+Version:        1.2.9

+Release:        3%{?dist}

+License:        GPLv3+

+URL:            http://www.librelp.com

+Source0:        http://download.rsyslog.com/librelp/%{name}-%{version}.tar.gz

 %define sha1 librelp=d8b61789a2775bbff08c1ac05b658a52afa4d729

-Group:		System Environment/Libraries

-Vendor:		VMware, Inc.

-Distribution:	Photon

-BuildRequires:	gnutls-devel

-BuildRequires:	autogen

-Requires:	gnutls

-Requires:	gmp

+Patch0:         librelp-CVE-2018-1000140.patch

+Group:          System Environment/Libraries

+Vendor:         VMware, Inc.

+Distribution:   Photon

+BuildRequires:  gnutls-devel

+BuildRequires:  autogen

+Requires:       gnutls

+Requires:       gmp

 %description

 Librelp is an easy to use library for the RELP protocol. RELP (stands

 for Reliable Event Logging Protocol) is a general-purpose, extensible

 logging protocol.

 %package devel

-Summary:	Development libraries and header files for librelp

-Requires:	librelp

+Summary:        Development libraries and header files for librelp

+Requires:       librelp

 %description devel

 The package contains libraries and header files for

@@ -28,16 +29,17 @@ developing applications that use librelp.

 %prep

 %setup -q

+%patch0 -p1

 %build

 ./configure \

-	--prefix=%{_prefix}

+        --prefix=%{_prefix}

 make %{?_smp_mflags}

 %install

 make DESTDIR=%{buildroot} install

 %check

 make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}

-%post	-p /sbin/ldconfig

-%postun	-p /sbin/ldconfig

+%post   -p /sbin/ldconfig

+%postun -p /sbin/ldconfig

 %files

 %defattr(-,root,root)

 %{_libdir}/*.so.*

@@ -49,10 +51,12 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}

 %{_libdir}/*.so

 %{_libdir}/pkgconfig/*.pc

 %changelog

-*	Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.2.9-2

--	GA - Bump release of all rpms

-* 	Thu Feb 25 2016 Anish Swaminathan <anishs@vmware.com>  1.2.9-1

-- 	Upgrade to 1.2.9

-*	Thu Jun 18 2015 Divya Thaluru <dthaluru@vmware.com> 1.2.7-1

--	Initial build. First version

+*   Fri Apr 20 2018 Xiaolin Li <xiaolinl@vmware.com> 1.2.9-3

+-   Fix CVE-2018-1000140

+*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.2.9-2

+-   GA - Bump release of all rpms

+*   Thu Feb 25 2016 Anish Swaminathan <anishs@vmware.com>  1.2.9-1

+-   Upgrade to 1.2.9

+*   Thu Jun 18 2015 Divya Thaluru <dthaluru@vmware.com> 1.2.7-1

+-   Initial build. First version