diff -Nru rsyslog-7.4.4/debian/changelog rsyslog-7.4.4/debian/changelog --- rsyslog-7.4.4/debian/changelog 2014-08-19 20:02:07.000000000 +0000 +++ rsyslog-7.4.4/debian/changelog 2014-10-02 15:34:04.000000000 +0000 @@ -1,3 +1,19 @@ +rsyslog (7.4.4-1ubuntu2.3) trusty-security; urgency=medium + + * SECURITY UPDATE: denial of service and possible code execution via + invalid PRI value + - debian/patches/CVE-2014-3634.patch: limit PRI values in + grammar/rainerscript.h, plugins/imfile/imfile.c, + plugins/imklog/imklog.c, plugins/imkmsg/imkmsg.c, + plugins/imsolaris/imsolaris.c, plugins/imuxsock/imuxsock.c, + runtime/msg.c, runtime/parser.c, runtime/rsyslog.h, + runtime/srutils.c, runtime/syslogd-types.h, runtime/typedefs.h, + tools/syslogd.c. + - CVE-2014-3634 + - CVE-2014-3683 + + -- Marc Deslauriers Thu, 02 Oct 2014 11:32:50 -0400 + rsyslog (7.4.4-1ubuntu2.1) trusty; urgency=medium * Enable non-kernel facility klog messages. (LP: #1274444) diff -Nru rsyslog-7.4.4/debian/patches/CVE-2014-3634.patch rsyslog-7.4.4/debian/patches/CVE-2014-3634.patch --- rsyslog-7.4.4/debian/patches/CVE-2014-3634.patch 1970-01-01 00:00:00.000000000 +0000 +++ rsyslog-7.4.4/debian/patches/CVE-2014-3634.patch 2014-10-02 15:33:57.000000000 +0000 @@ -0,0 +1,381 @@ +Description: fix denial of service and possible code execution via + invalid PRI value +Origin: backported from prifix.v7-stable patch by Rainer Gerhards, and + updated for the CVE-2014-3683 fix + +Index: rsyslog-7.4.4/grammar/rainerscript.h +=================================================================== +--- rsyslog-7.4.4.orig/grammar/rainerscript.h 2013-09-03 06:31:42.000000000 -0400 ++++ rsyslog-7.4.4/grammar/rainerscript.h 2014-10-01 08:29:33.484384755 -0400 +@@ -5,9 +5,9 @@ + #include + #include + #include ++#include "rsyslog.h" + + +-#define LOG_NFACILITIES 24 /* current number of syslog facilities */ + #define CNFFUNC_MAX_ARGS 32 + /**< maximum number of arguments that any function can have (among + * others, this is used to size data structures). +Index: rsyslog-7.4.4/plugins/imfile/imfile.c +=================================================================== +--- rsyslog-7.4.4.orig/plugins/imfile/imfile.c 2013-09-02 09:12:16.000000000 -0400 ++++ rsyslog-7.4.4/plugins/imfile/imfile.c 2014-10-01 08:28:30.304385733 -0400 +@@ -188,8 +188,8 @@ + MsgSetMSGoffs(pMsg, 0); /* we do not have a header... */ + MsgSetHOSTNAME(pMsg, glbl.GetLocalHostName(), ustrlen(glbl.GetLocalHostName())); + MsgSetTAG(pMsg, pInfo->pszTag, pInfo->lenTag); +- pMsg->iFacility = LOG_FAC(pInfo->iFacility); +- pMsg->iSeverity = LOG_PRI(pInfo->iSeverity); ++ pMsg->iFacility = pri2fac(pInfo->iFacility); ++ pMsg->iSeverity = pri2sev(pInfo->iSeverity); + MsgSetRuleset(pMsg, pInfo->pRuleset); + ratelimitAddMsg(pInfo->ratelimiter, &pInfo->multiSub, pMsg); + finalize_it: +Index: rsyslog-7.4.4/plugins/imklog/imklog.c +=================================================================== +--- rsyslog-7.4.4.orig/plugins/imklog/imklog.c 2013-08-30 12:30:41.000000000 -0400 ++++ rsyslog-7.4.4/plugins/imklog/imklog.c 2014-10-01 08:28:30.304385733 -0400 +@@ -21,7 +21,7 @@ + * To test under Linux: + * echo test1 > /dev/kmsg + * +- * Copyright (C) 2008-2012 Adiscon GmbH ++ * Copyright (C) 2008-2014 Adiscon GmbH + * + * This file is part of rsyslog. + * +@@ -247,10 +247,10 @@ + /* if we don't get the pri, we use whatever we were supplied */ + + /* ignore non-kernel messages if not permitted */ +- if(cs.bPermitNonKernel == 0 && LOG_FAC(priority) != LOG_KERN) ++ if(cs.bPermitNonKernel == 0 && pri2fac(priority) != LOG_KERN) + FINALIZE; /* silently ignore */ + +- iRet = enqMsg((uchar*)pMsg, (uchar*) "kernel:", LOG_FAC(priority), LOG_PRI(priority), tp); ++ iRet = enqMsg((uchar*)pMsg, (uchar*) "kernel:", pri2fac(priority), pri2sev(priority), tp); + + finalize_it: + RETiRet; +Index: rsyslog-7.4.4/plugins/imkmsg/imkmsg.c +=================================================================== +--- rsyslog-7.4.4.orig/plugins/imkmsg/imkmsg.c 2013-08-30 12:30:41.000000000 -0400 ++++ rsyslog-7.4.4/plugins/imkmsg/imkmsg.c 2014-10-01 08:28:30.304385733 -0400 +@@ -144,7 +144,7 @@ + rsRetVal Syslog(int priority, uchar *pMsg, struct timeval *tp, struct json_object *json) + { + DEFiRet; +- iRet = enqMsg((uchar*)pMsg, (uchar*) "kernel:", LOG_FAC(priority), LOG_PRI(priority), tp, json); ++ iRet = enqMsg((uchar*)pMsg, (uchar*) "kernel:", pri2fac(priority), pri2sev(priority), tp, json); + RETiRet; + } + +Index: rsyslog-7.4.4/plugins/imsolaris/imsolaris.c +=================================================================== +--- rsyslog-7.4.4.orig/plugins/imsolaris/imsolaris.c 2013-07-19 08:59:02.000000000 -0400 ++++ rsyslog-7.4.4/plugins/imsolaris/imsolaris.c 2014-10-01 08:28:30.304385733 -0400 +@@ -209,8 +209,8 @@ + MsgSetInputName(pMsg, pInputName); + MsgSetRawMsg(pMsg, (char*)pRcv, strlen((char*)pRcv)); + MsgSetHOSTNAME(pMsg, glbl.GetLocalHostName(), ustrlen(glbl.GetLocalHostName())); +- pMsg->iFacility = LOG_FAC(hdr.pri); +- pMsg->iSeverity = LOG_PRI(hdr.pri); ++ pMsg->iFacility = pri2fac(hdr.pri); ++ pMsg->iSeverity = pri2sev(hdr.pri); + pMsg->msgFlags = NEEDS_PARSING | NO_PRI_IN_RAW; + CHKiRet(submitMsg(pMsg)); + } +Index: rsyslog-7.4.4/plugins/imuxsock/imuxsock.c +=================================================================== +--- rsyslog-7.4.4.orig/plugins/imuxsock/imuxsock.c 2013-09-03 06:31:42.000000000 -0400 ++++ rsyslog-7.4.4/plugins/imuxsock/imuxsock.c 2014-10-01 08:28:30.304385733 -0400 +@@ -6,7 +6,7 @@ + * + * File begun on 2007-12-20 by RGerhards (extracted from syslogd.c) + * +- * Copyright 2007-2013 Rainer Gerhards and Adiscon GmbH. ++ * Copyright 2007-2014 Rainer Gerhards and Adiscon GmbH. + * + * This file is part of rsyslog. + * +@@ -775,8 +775,8 @@ + ++parse; + ++offs; + } +- facil = LOG_FAC(pri); +- sever = LOG_PRI(pri); ++ facil = pri2fac(pri); ++ sever = pri2sev(pri); + + findRatelimiter(pLstn, cred, &ratelimiter); /* ignore error, better so than others... */ + +Index: rsyslog-7.4.4/runtime/msg.c +=================================================================== +--- rsyslog-7.4.4.orig/runtime/msg.c 2013-09-03 06:31:42.000000000 -0400 ++++ rsyslog-7.4.4/runtime/msg.c 2014-10-01 08:33:31.868381061 -0400 +@@ -90,7 +90,7 @@ + static struct { + uchar *pszName; + short lenName; +-} syslog_pri_names[192] = { ++} syslog_pri_names[200] = { + { UCHAR_CONSTANT("0"), 3}, + { UCHAR_CONSTANT("1"), 3}, + { UCHAR_CONSTANT("2"), 3}, +@@ -282,22 +282,30 @@ + { UCHAR_CONSTANT("188"), 5}, + { UCHAR_CONSTANT("189"), 5}, + { UCHAR_CONSTANT("190"), 5}, +- { UCHAR_CONSTANT("191"), 5} ++ { UCHAR_CONSTANT("191"), 5}, ++ { UCHAR_CONSTANT("192"), 5}, ++ { UCHAR_CONSTANT("193"), 5}, ++ { UCHAR_CONSTANT("194"), 5}, ++ { UCHAR_CONSTANT("195"), 5}, ++ { UCHAR_CONSTANT("196"), 5}, ++ { UCHAR_CONSTANT("197"), 5}, ++ { UCHAR_CONSTANT("198"), 5}, ++ { UCHAR_CONSTANT("199"), 5} + }; + static char hexdigit[16] = + {'0', '1', '2', '3', '4', '5', '6', '7', '8', + '9', 'A', 'B', 'C', 'D', 'E', 'F' }; + + /*syslog facility names (as of RFC5424) */ +-static char *syslog_fac_names[24] = { "kern", "user", "mail", "daemon", "auth", "syslog", "lpr", ++static char *syslog_fac_names[LOG_NFACILITIES] = { "kern", "user", "mail", "daemon", "auth", "syslog", "lpr", + "news", "uucp", "cron", "authpriv", "ftp", "ntp", "audit", + "alert", "clock", "local0", "local1", "local2", "local3", +- "local4", "local5", "local6", "local7" }; ++ "local4", "local5", "local6", "local7", "invld" }; + /* length of the facility names string (for optimizatiions) */ +-static short len_syslog_fac_names[24] = { 4, 4, 4, 6, 4, 6, 3, ++static short len_syslog_fac_names[LOG_NFACILITIES] = { 4, 4, 4, 6, 4, 6, 3, + 4, 4, 4, 8, 3, 3, 5, + 5, 5, 6, 6, 6, 6, +- 6, 6, 6, 6 }; ++ 6, 6, 6, 6, 5 }; + + /* table of severity names (in numerical order)*/ + static char *syslog_severity_names[8] = { "emerg", "alert", "crit", "err", "warning", "notice", "info", "debug" }; +@@ -307,8 +315,8 @@ + * and facility values to a numerical string... -- rgerhars, 2009-06-17 + */ + +-static char *syslog_number_names[24] = { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13", "14", +- "15", "16", "17", "18", "19", "20", "21", "22", "23" }; ++static char *syslog_number_names[LOG_NFACILITIES] = { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13", "14", ++ "15", "16", "17", "18", "19", "20", "21", "22", "23", "24" }; + + /* global variables */ + #if defined(HAVE_MALLOC_TRIM) && !defined(HAVE_ATOMIC_BUILTINS) +@@ -678,8 +686,8 @@ + pM->flowCtlType = 0; + pM->bParseSuccess = 0; + pM->iRefCount = 1; +- pM->iSeverity = -1; +- pM->iFacility = -1; ++ pM->iSeverity = LOG_DEBUG; ++ pM->iFacility = LOG_INVLD; + pM->iLenPROGNAME = -1; + pM->offAfterPRI = 0; + pM->offMSG = -1; +@@ -1499,7 +1507,10 @@ + /* Get PRI value as integer */ + static int getPRIi(msg_t *pM) + { +- return (pM->iFacility << 3) + (pM->iSeverity); ++ int pri = (pM->iFacility << 3) + (pM->iSeverity); ++ if(pri > 191) ++ pri = LOG_PRI_INVLD; ++ return pri; + } + + +@@ -2442,11 +2453,11 @@ + char *textpri(char *pRes, int pri) + { + assert(pRes != NULL); +- memcpy(pRes, syslog_fac_names[LOG_FAC(pri)], len_syslog_fac_names[LOG_FAC(pri)]); +- pRes[len_syslog_fac_names[LOG_FAC(pri)]] = '.'; +- memcpy(pRes+len_syslog_fac_names[LOG_FAC(pri)]+1, +- syslog_severity_names[LOG_PRI(pri)], +- len_syslog_severity_names[LOG_PRI(pri)]+1 /* for \0! */); ++ memcpy(pRes, syslog_fac_names[pri2fac(pri)], len_syslog_fac_names[pri2fac(pri)]); ++ pRes[len_syslog_fac_names[pri2fac(pri)]] = '.'; ++ memcpy(pRes+len_syslog_fac_names[pri2fac(pri)]+1, ++ syslog_severity_names[pri2sev(pri)], ++ len_syslog_severity_names[pri2sev(pri)]+1 /* for \0! */); + return pRes; + } + +Index: rsyslog-7.4.4/runtime/parser.c +=================================================================== +--- rsyslog-7.4.4.orig/runtime/parser.c 2013-08-30 12:30:41.000000000 -0400 ++++ rsyslog-7.4.4/runtime/parser.c 2014-10-01 08:28:30.304385733 -0400 +@@ -468,11 +468,11 @@ + } + if(*msg == '>') + ++msg; +- if(pri & ~(LOG_FACMASK|LOG_PRIMASK)) +- pri = DEFUPRI; ++ if(pri > LOG_MAXPRI) ++ pri = LOG_PRI_INVLD; + } +- pMsg->iFacility = LOG_FAC(pri); +- pMsg->iSeverity = LOG_PRI(pri); ++ pMsg->iFacility = pri2fac(pri); ++ pMsg->iSeverity = pri2sev(pri); + MsgSetAfterPRIOffs(pMsg, msg - pMsg->pszRawMsg); + } + RETiRet; +Index: rsyslog-7.4.4/runtime/rsyslog.h +=================================================================== +--- rsyslog-7.4.4.orig/runtime/rsyslog.h 2013-09-03 06:31:42.000000000 -0400 ++++ rsyslog-7.4.4/runtime/rsyslog.h 2014-10-01 08:28:30.304385733 -0400 +@@ -76,19 +76,58 @@ + * # End Config Settings # * + * ############################################################# */ + +-/* portability: not all platforms have these defines, so we +- * define them here if they are missing. -- rgerhards, 2008-03-04 ++/* make sure we uses consistent macros, no matter what the ++ * platform gives us. + */ +-#ifndef LOG_MAKEPRI +-# define LOG_MAKEPRI(fac, pri) (((fac) << 3) | (pri)) +-#endif +-#ifndef LOG_PRI +-# define LOG_PRI(p) ((p) & LOG_PRIMASK) +-#endif +-#ifndef LOG_FAC +-# define LOG_FAC(p) (((p) & LOG_FACMASK) >> 3) +-#endif ++#define LOG_NFACILITIES 24+1 /* plus one for our special "invld" facility! */ ++#define LOG_MAXPRI 191 /* highest supported valid PRI value --> RFC3164, RFC5424 */ ++#undef LOG_MAKEPRI ++#define LOG_PRI_INVLD LOG_INVLD|LOG_DEBUG /* PRI is invalid --> special "invld.=debug" PRI code (rsyslog-specific) */ + ++#define LOG_EMERG 0 /* system is unusable */ ++#define LOG_ALERT 1 /* action must be taken immediately */ ++#define LOG_CRIT 2 /* critical conditions */ ++#define LOG_ERR 3 /* error conditions */ ++#define LOG_WARNING 4 /* warning conditions */ ++#define LOG_NOTICE 5 /* normal but significant condition */ ++#define LOG_INFO 6 /* informational */ ++#define LOG_DEBUG 7 /* debug-level messages */ ++ ++#define LOG_KERN (0<<3) /* kernel messages */ ++#define LOG_USER (1<<3) /* random user-level messages */ ++#define LOG_MAIL (2<<3) /* mail system */ ++#define LOG_DAEMON (3<<3) /* system daemons */ ++#define LOG_AUTH (4<<3) /* security/authorization messages */ ++#define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */ ++#define LOG_LPR (6<<3) /* line printer subsystem */ ++#define LOG_NEWS (7<<3) /* network news subsystem */ ++#define LOG_UUCP (8<<3) /* UUCP subsystem */ ++#define LOG_CRON (9<<3) /* clock daemon */ ++#define LOG_AUTHPRIV (10<<3) /* security/authorization messages (private) */ ++#define LOG_FTP (11<<3) /* ftp daemon */ ++#define LOG_LOCAL0 (16<<3) /* reserved for local use */ ++#define LOG_LOCAL1 (17<<3) /* reserved for local use */ ++#define LOG_LOCAL2 (18<<3) /* reserved for local use */ ++#define LOG_LOCAL3 (19<<3) /* reserved for local use */ ++#define LOG_LOCAL4 (20<<3) /* reserved for local use */ ++#define LOG_LOCAL5 (21<<3) /* reserved for local use */ ++#define LOG_LOCAL6 (22<<3) /* reserved for local use */ ++#define LOG_LOCAL7 (23<<3) /* reserved for local use */ ++#define LOG_FAC_INVLD 24 ++#define LOG_INVLD (LOG_FAC_INVLD<<3) /* invalid facility/PRI code */ ++ ++/* we need to use a function to avoid side-effects. This MUST guard ++ * against invalid facility values. rgerhards, 2014-09-16 ++ */ ++static inline int pri2fac(const int pri) ++{ ++ unsigned fac = pri >> 3; ++ return (fac > 23) ? LOG_FAC_INVLD : fac; ++} ++static inline int pri2sev(const int pri) ++{ ++ return pri & 0x07; ++} + + /* the rsyslog core provides information about present feature to plugins + * asking it. Below are feature-test macros which must be used to query +Index: rsyslog-7.4.4/runtime/srutils.c +=================================================================== +--- rsyslog-7.4.4.orig/runtime/srutils.c 2013-09-03 06:31:42.000000000 -0400 ++++ rsyslog-7.4.4/runtime/srutils.c 2014-10-01 08:28:30.304385733 -0400 +@@ -103,6 +103,7 @@ + {"local5", LOG_LOCAL5}, + {"local6", LOG_LOCAL6}, + {"local7", LOG_LOCAL7}, ++ {"invld", LOG_INVLD}, + {NULL, -1}, + }; + +Index: rsyslog-7.4.4/runtime/syslogd-types.h +=================================================================== +--- rsyslog-7.4.4.orig/runtime/syslogd-types.h 2012-11-12 12:01:50.000000000 -0500 ++++ rsyslog-7.4.4/runtime/syslogd-types.h 2014-10-01 08:34:44.372379938 -0400 +@@ -4,7 +4,7 @@ + * + * File begun on 2007-07-13 by RGerhards (extracted from syslogd.c) + * +- * Copyright 2007-2012 Adiscon GmbH. ++ * Copyright 2007-2014 Adiscon GmbH. + * + * This file is part of the rsyslog runtime library. + * +@@ -27,9 +27,6 @@ + + #include "stringbuf.h" + #include +-#if HAVE_SYSLOG_H +-#include +-#endif + + /* we use RSTRUE/FALSE to prevent name claches with other packages */ + #define RSFALSE 0 +Index: rsyslog-7.4.4/runtime/typedefs.h +=================================================================== +--- rsyslog-7.4.4.orig/runtime/typedefs.h 2013-08-30 12:30:41.000000000 -0400 ++++ rsyslog-7.4.4/runtime/typedefs.h 2014-10-01 08:28:30.308385733 -0400 +@@ -209,6 +209,10 @@ + msg_t **ppMsgs; + }; + ++/* some forward-definitions from the grammar */ ++struct nvlst; ++struct cnfobj; ++ + #endif /* multi-include protection */ + /* vim:set ai: + */ +Index: rsyslog-7.4.4/tools/syslogd.c +=================================================================== +--- rsyslog-7.4.4.orig/tools/syslogd.c 2013-09-03 06:31:42.000000000 -0400 ++++ rsyslog-7.4.4/tools/syslogd.c 2014-10-01 08:36:10.664378601 -0400 +@@ -459,8 +459,8 @@ + pszTag[32] = '\0'; /* just to make sure... */ + MsgSetTAG(pMsg, pszTag, len); + } +- pMsg->iFacility = LOG_FAC(pri); +- pMsg->iSeverity = LOG_PRI(pri); ++ pMsg->iFacility = pri2fac(pri); ++ pMsg->iSeverity = pri2sev(pri); + flags |= INTERNAL_MSG; + pMsg->msgFlags = flags; + +@@ -473,7 +473,7 @@ + * supressor statement. + */ + if(((Debug == DEBUG_FULL || !doFork) && ourConf->globals.bErrMsgToStderr) || iConfigVerify) { +- if(LOG_PRI(pri) == LOG_ERR) ++ if(pri2sev(pri) == LOG_ERR) + fprintf(stderr, "rsyslogd: %s\n", msg); + } + diff -Nru rsyslog-7.4.4/debian/patches/series rsyslog-7.4.4/debian/patches/series --- rsyslog-7.4.4/debian/patches/series 2013-12-04 13:11:52.000000000 +0000 +++ rsyslog-7.4.4/debian/patches/series 2014-10-01 12:28:10.000000000 +0000 @@ -1,3 +1,4 @@ # Debian patches for rsyslog 01-dont_create_db.patch 10-initgroups.patch +CVE-2014-3634.patch