diff -Nru rsyslog-8.32.0/debian/changelog rsyslog-8.32.0/debian/changelog --- rsyslog-8.32.0/debian/changelog 2022-05-03 09:20:37.000000000 +0000 +++ rsyslog-8.32.0/debian/changelog 2022-05-03 09:20:37.000000000 +0000 @@ -1,10 +1,10 @@ -rsyslog (8.32.0-1ubuntu4.1) bionic-security; urgency=medium +rsyslog (8.32.0-1ubuntu4.2) bionic-security; urgency=medium * SECURITY UPDATE: Heap buffer overflow - - debian/patches/CVE-2022-1550.patch: fix a potential heap buffer overflow + - debian/patches/CVE-2022-24903.patch: fix a potential heap buffer overflow adding boundary checks in contrib/imhttp/imhttp.c, plugins/imptcp/imptcp.c, runtime/tcps_sess.c. - - CVE-2022-1550 + - CVE-2022-24903 -- Leonidas Da Silva Barbosa Tue, 03 May 2022 06:20:37 -0300 diff -Nru rsyslog-8.32.0/debian/patches/CVE-2022-1550.patch rsyslog-8.32.0/debian/patches/CVE-2022-1550.patch --- rsyslog-8.32.0/debian/patches/CVE-2022-1550.patch 2022-05-03 09:08:55.000000000 +0000 +++ rsyslog-8.32.0/debian/patches/CVE-2022-1550.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,47 +0,0 @@ -Description: Potential heap buffer overflow ehen octet-counted -Author: Rainer Gerhards - -#Index: rsyslog-8.2102.0/contrib/imhttp/imhttp.c -#=================================================================== -#--- rsyslog-8.2102.0.orig/contrib/imhttp/imhttp.c -#+++ rsyslog-8.2102.0/contrib/imhttp/imhttp.c -#@@ -436,6 +436,9 @@ processOctetMsgLen(const instanceConf_t -# } -# // temporarily save this character into the message buffer -# connWrkr->pMsg[connWrkr->iMsg++] = ch; -#+ if(connWrkr->iMsg + 1 < s_iMaxLine) { -#+ connWrkr->pMsg[connWrkr->iMsg++] = ch; -#+ } -# } else { -# const char *remoteAddr = ""; -# if (connWrkr->propRemoteAddr) { -Index: rsyslog-8.32.0/plugins/imptcp/imptcp.c -=================================================================== ---- rsyslog-8.32.0.orig/plugins/imptcp/imptcp.c -+++ rsyslog-8.32.0/plugins/imptcp/imptcp.c -@@ -957,7 +957,9 @@ processDataRcvd(ptcpsess_t *const __rest - if(pThis->iOctetsRemain <= 200000000) { - pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; - } -- *(pThis->pMsg + pThis->iMsg++) = c; -+ if(pThis->iMsg < iMaxLine) { -+ *(pThis->pMsg + pThis->iMsg++) = c; -+ } - } else { /* done with the octet count, so this must be the SP terminator */ - DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain); - prop.GetString(pThis->peerName, &propPeerName, &lenPeerName); -Index: rsyslog-8.32.0/runtime/tcps_sess.c -=================================================================== ---- rsyslog-8.32.0.orig/runtime/tcps_sess.c -+++ rsyslog-8.32.0/runtime/tcps_sess.c -@@ -390,7 +390,9 @@ processDataRcvd(tcps_sess_t *pThis, - if(pThis->iOctetsRemain <= 200000000) { - pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; - } -- *(pThis->pMsg + pThis->iMsg++) = c; -+ if(pThis->iMsg < iMaxLine) { -+ *(pThis->pMsg + pThis->iMsg++) = c; -+ } - } else { /* done with the octet count, so this must be the SP terminator */ - DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain); - prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName); diff -Nru rsyslog-8.32.0/debian/patches/CVE-2022-24903.patch rsyslog-8.32.0/debian/patches/CVE-2022-24903.patch --- rsyslog-8.32.0/debian/patches/CVE-2022-24903.patch 1970-01-01 00:00:00.000000000 +0000 +++ rsyslog-8.32.0/debian/patches/CVE-2022-24903.patch 2022-05-03 09:08:55.000000000 +0000 @@ -0,0 +1,47 @@ +Description: Potential heap buffer overflow ehen octet-counted +Author: Rainer Gerhards + +#Index: rsyslog-8.2102.0/contrib/imhttp/imhttp.c +#=================================================================== +#--- rsyslog-8.2102.0.orig/contrib/imhttp/imhttp.c +#+++ rsyslog-8.2102.0/contrib/imhttp/imhttp.c +#@@ -436,6 +436,9 @@ processOctetMsgLen(const instanceConf_t +# } +# // temporarily save this character into the message buffer +# connWrkr->pMsg[connWrkr->iMsg++] = ch; +#+ if(connWrkr->iMsg + 1 < s_iMaxLine) { +#+ connWrkr->pMsg[connWrkr->iMsg++] = ch; +#+ } +# } else { +# const char *remoteAddr = ""; +# if (connWrkr->propRemoteAddr) { +Index: rsyslog-8.32.0/plugins/imptcp/imptcp.c +=================================================================== +--- rsyslog-8.32.0.orig/plugins/imptcp/imptcp.c ++++ rsyslog-8.32.0/plugins/imptcp/imptcp.c +@@ -957,7 +957,9 @@ processDataRcvd(ptcpsess_t *const __rest + if(pThis->iOctetsRemain <= 200000000) { + pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; + } +- *(pThis->pMsg + pThis->iMsg++) = c; ++ if(pThis->iMsg < iMaxLine) { ++ *(pThis->pMsg + pThis->iMsg++) = c; ++ } + } else { /* done with the octet count, so this must be the SP terminator */ + DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain); + prop.GetString(pThis->peerName, &propPeerName, &lenPeerName); +Index: rsyslog-8.32.0/runtime/tcps_sess.c +=================================================================== +--- rsyslog-8.32.0.orig/runtime/tcps_sess.c ++++ rsyslog-8.32.0/runtime/tcps_sess.c +@@ -390,7 +390,9 @@ processDataRcvd(tcps_sess_t *pThis, + if(pThis->iOctetsRemain <= 200000000) { + pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; + } +- *(pThis->pMsg + pThis->iMsg++) = c; ++ if(pThis->iMsg < iMaxLine) { ++ *(pThis->pMsg + pThis->iMsg++) = c; ++ } + } else { /* done with the octet count, so this must be the SP terminator */ + DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain); + prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName); diff -Nru rsyslog-8.32.0/debian/patches/series rsyslog-8.32.0/debian/patches/series --- rsyslog-8.32.0/debian/patches/series 2022-05-03 09:08:50.000000000 +0000 +++ rsyslog-8.32.0/debian/patches/series 2022-05-03 09:20:37.000000000 +0000 @@ -3,4 +3,4 @@ Fix-building-with-disable-libcurl.patch tests-Run-rscript_http_request.sh-only-when-built-with-li.patch build-system-Don-t-link-core-against-libcurl-if-expl.patch -CVE-2022-1550.patch +CVE-2022-24903.patch