helium-3rd-party/meta-openembedded
1
0
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-05-19 01:55:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

syslog-ng: fix CVE-2022-38725

Browse Source 
Fix buffer handling of syslog and timestamp parsers.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-38725
https://github.com/syslog-ng/syslog-ng/releases
https://github.com/syslog-ng/syslog-ng/pull/4110

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Yogita Urade 2023-04-03 10:42:49 +00:00 committed by Armin Kuster
parent 99047e44ce
commit 571e36e20e
9 changed files with 854 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-0001.patch Normal file
View File

@ -0,0 +1,65 @@
From b5a060f2ebb8d794f508436a12e4d4163f94b1b8 Mon Sep 17 00:00:00 2001
From: Laszlo Varady <laszlo.varady@protonmail.com>
Date: Sat, 20 Aug 2022 12:26:05 +0200
Subject: [PATCH 1/8] syslogformat: fix out-of-bounds reading of data buffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE: CVE-2022-38725
Upstream-Status: Backport
[https://github.com/syslog-ng/syslog-ng/commit/b5a060f2ebb8d794f508436a12e4d4163f94b1b8]
Signed-off-by: László Várady <laszlo.varady@protonmail.com>
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
modules/syslogformat/syslog-format.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c
index aacb525b3..872cc1d71 100644
--- a/modules/syslogformat/syslog-format.c
+++ b/modules/syslogformat/syslog-format.c
@@ -223,6 +223,9 @@ log_msg_parse_cisco_timestamp_attributes(LogMessage *self, const guchar **data,
const guchar *src = *data;
gint left = *length;
+ if (!left)
+ return;
+
/* Cisco timestamp extensions, the first '*' indicates that the clock is
* unsynced, '.' if it is known to be synced */
if (G_UNLIKELY(src[0] == '*'))
@@ -562,7 +565,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF
open_sd++;
do
{
- if (!isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"')
+ if (!left || !isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"')
goto error;
/* read sd_id */
pos = 0;
@@ -595,7 +598,8 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF
sd_id_len = pos;
strcpy(sd_value_name, logmsg_sd_prefix);
strncpy(sd_value_name + logmsg_sd_prefix_len, sd_id_name, sizeof(sd_value_name) - logmsg_sd_prefix_len);
- if (*src == ']')
+
+ if (left && *src == ']')
{
log_msg_set_value_by_name(self, sd_value_name, "", 0);
}
@@ -612,7 +616,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF
else
goto error;
- if (!isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"')
+ if (!left || !isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"')
goto error;
/* read sd-param */
--
2.34.1

150
meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-0002.patch Normal file
View File

@ -0,0 +1,150 @@
From 81a07263f1e522a376d3a30f96f51df3f2879f8a Mon Sep 17 00:00:00 2001
From: Laszlo Varady <laszlo.varady@protonmail.com>
Date: Sat, 20 Aug 2022 12:22:44 +0200
Subject: [PATCH 2/8] syslogformat: add bug reproducer test for non-zero terminated
input
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE: CVE-2022-38725
Upstream-Status: Backport
[https://github.com/syslog-ng/syslog-ng/commit/81a07263f1e522a376d3a30f96f51df3f2879f8a]
Signed-off-by: László Várady <laszlo.varady@protonmail.com>
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
modules/syslogformat/CMakeLists.txt | 1 +
modules/syslogformat/Makefile.am | 2 +
modules/syslogformat/tests/CMakeLists.txt | 1 +
modules/syslogformat/tests/Makefile.am | 9 +++
.../syslogformat/tests/test_syslog_format.c | 72 +++++++++++++++++++
5 files changed, 85 insertions(+)
create mode 100644 modules/syslogformat/tests/CMakeLists.txt
create mode 100644 modules/syslogformat/tests/Makefile.am
create mode 100644 modules/syslogformat/tests/test_syslog_format.c
diff --git a/modules/syslogformat/CMakeLists.txt b/modules/syslogformat/CMakeLists.txt
index 94ee01aa2..64848efee 100644
--- a/modules/syslogformat/CMakeLists.txt
+++ b/modules/syslogformat/CMakeLists.txt
@@ -14,3 +14,4 @@ add_module(
SOURCES ${SYSLOGFORMAT_SOURCES}
)
+add_test_subdirectory(tests)
diff --git a/modules/syslogformat/Makefile.am b/modules/syslogformat/Makefile.am
index f13f88c1b..14cdf589d 100644
--- a/modules/syslogformat/Makefile.am
+++ b/modules/syslogformat/Makefile.am
@@ -31,3 +31,5 @@ modules_syslogformat_libsyslogformat_la_DEPENDENCIES = \
modules/syslogformat modules/syslogformat/ mod-syslogformat: \
modules/syslogformat/libsyslogformat.la
.PHONY: modules/syslogformat/ mod-syslogformat
+
+include modules/syslogformat/tests/Makefile.am
diff --git a/modules/syslogformat/tests/CMakeLists.txt b/modules/syslogformat/tests/CMakeLists.txt
new file mode 100644
index 000000000..2e45b7194
--- /dev/null
+++ b/modules/syslogformat/tests/CMakeLists.txt
@@ -0,0 +1 @@
+add_unit_test(CRITERION TARGET test_syslog_format DEPENDS syslogformat)
diff --git a/modules/syslogformat/tests/Makefile.am b/modules/syslogformat/tests/Makefile.am
new file mode 100644
index 000000000..7ee66a59c
--- /dev/null
+++ b/modules/syslogformat/tests/Makefile.am
@@ -0,0 +1,9 @@
+modules_syslogformat_tests_TESTS = \
+ modules/syslogformat/tests/test_syslog_format
+
+check_PROGRAMS += ${modules_syslogformat_tests_TESTS}
+
+EXTRA_DIST += modules/syslogformat/tests/CMakeLists.txt
+
+modules_syslogformat_tests_test_syslog_format_CFLAGS = $(TEST_CFLAGS) -I$(top_srcdir)/modules/syslogformat
+modules_syslogformat_tests_test_syslog_format_LDADD = $(TEST_LDADD) $(PREOPEN_SYSLOGFORMAT)
diff --git a/modules/syslogformat/tests/test_syslog_format.c b/modules/syslogformat/tests/test_syslog_format.c
new file mode 100644
index 000000000..b247fe3c5
--- /dev/null
+++ b/modules/syslogformat/tests/test_syslog_format.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 2022 One Identity
+ * Copyright (c) 2022 László Várady
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ *
+ * As an additional exemption you are allowed to compile & link against the
+ * OpenSSL libraries as published by the OpenSSL project. See the file
+ * COPYING for details.
+ *
+ */
+
+#include <criterion/criterion.h>
+
+#include "apphook.h"
+#include "cfg.h"
+#include "syslog-format.h"
+#include "logmsg/logmsg.h"
+#include "msg-format.h"
+#include "scratch-buffers.h"
+
+#include <string.h>
+
+GlobalConfig *cfg;
+MsgFormatOptions parse_options;
+
+static void
+setup(void)
+{
+ app_startup();
+ syslog_format_init();
+
+ cfg = cfg_new_snippet();
+ msg_format_options_defaults(&parse_options);
+}
+
+static void
+teardown(void)
+{
+ scratch_buffers_explicit_gc();
+ app_shutdown();
+ cfg_free(cfg);
+}
+
+TestSuite(syslog_format, .init = setup, .fini = teardown);
+
+Test(syslog_format, parser_should_not_spin_on_non_zero_terminated_input, .timeout = 10)
+{
+ const gchar *data = "<182>2022-08-17T05:02:28.217 mymachine su: 'su root' failed for lonvick on /dev/pts/8";
+ /* chosen carefully to reproduce a bug */
+ gsize data_length = 27;
+
+ msg_format_options_init(&parse_options, cfg);
+ LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length);
+
+ gsize problem_position;
+ cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position));
+
+ msg_format_options_destroy(&parse_options);
+ log_msg_unref(msg);
+}
--
2.34.1

77
meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-0003.patch Normal file
View File

@ -0,0 +1,77 @@
From 4b8dc56ca8eaeac4c8751a305eb7eeefab8dc89d Mon Sep 17 00:00:00 2001
From: Laszlo Varady <laszlo.varady@protonmail.com>
Date: Sun, 21 Aug 2022 18:44:28 +0200
Subject: [PATCH 3/8] syslogformat: fix reading cisco sequence id out of bounds
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE: CVE-2022-38725
Upstream-Status: Backport
[https://github.com/syslog-ng/syslog-ng/commit/4b8dc56ca8eaeac4c8751a305eb7eeefab8dc89d]
Signed-off-by: László Várady <laszlo.varady@protonmail.com>
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
modules/syslogformat/syslog-format.c | 2 +-
.../syslogformat/tests/test_syslog_format.c | 32 +++++++++++++++++++
2 files changed, 33 insertions(+), 1 deletion(-)
diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c
index 872cc1d71..a3d48d6f2 100644
--- a/modules/syslogformat/syslog-format.c
+++ b/modules/syslogformat/syslog-format.c
@@ -207,7 +207,7 @@ log_msg_parse_cisco_sequence_id(LogMessage *self, const guchar **data, gint *len
/* if the next char is not space, then we may try to read a date */
- if (*src != ' ')
+ if (!left || *src != ' ')
return;
log_msg_set_value(self, handles.cisco_seqid, (gchar *) *data, *length - left - 1);
diff --git a/modules/syslogformat/tests/test_syslog_format.c b/modules/syslogformat/tests/test_syslog_format.c
index b247fe3c5..d0f5b4043 100644
--- a/modules/syslogformat/tests/test_syslog_format.c
+++ b/modules/syslogformat/tests/test_syslog_format.c
@@ -70,3 +70,35 @@ Test(syslog_format, parser_should_not_spin_on_non_zero_terminated_input, .timeou
msg_format_options_destroy(&parse_options);
log_msg_unref(msg);
}
+
+Test(syslog_format, cisco_sequence_id_non_zero_termination)
+{
+ const gchar *data = "<189>65536: ";
+ gsize data_length = strlen(data);
+
+ msg_format_options_init(&parse_options, cfg);
+ LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length);
+
+ gsize problem_position;
+ cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position));
+ cr_assert_str_eq(log_msg_get_value_by_name(msg, ".SDATA.meta.sequenceId", NULL), "65536");
+
+ msg_format_options_destroy(&parse_options);
+ log_msg_unref(msg);
+}
+
+Test(syslog_format, minimal_non_zero_terminated_numeric_message_is_parsed_as_program_name)
+{
+ const gchar *data = "<189>65536";
+ gsize data_length = strlen(data);
+
+ msg_format_options_init(&parse_options, cfg);
+ LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length);
+
+ gsize problem_position;
+ cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position));
+ cr_assert_str_eq(log_msg_get_value_by_name(msg, "PROGRAM", NULL), "65536");
+
+ msg_format_options_destroy(&parse_options);
+ log_msg_unref(msg);
+}
--
2.34.1

37
meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-0004.patch Normal file
View File

@ -0,0 +1,37 @@
From 73b5c300b8fde5e7a4824baa83a04931279abb37 Mon Sep 17 00:00:00 2001
From: Laszlo Varady <laszlo.varady@protonmail.com>
Date: Sat, 20 Aug 2022 12:42:38 +0200
Subject: [PATCH 4/8] timeutils: fix iterating out of the range of timestamp buffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE: CVE-2022-38725
Upstream-Status: Backport
[https://github.com/syslog-ng/syslog-ng/commit/73b5c300b8fde5e7a4824baa83a04931279abb37]
Signed-off-by: László Várady <laszlo.varady@protonmail.com>
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
lib/timeutils/scan-timestamp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/timeutils/scan-timestamp.c b/lib/timeutils/scan-timestamp.c
index 304a57673..4fbe94a36 100644
--- a/lib/timeutils/scan-timestamp.c
+++ b/lib/timeutils/scan-timestamp.c
@@ -332,7 +332,7 @@ __parse_usec(const guchar **data, gint *length)
src++;
(*length)--;
}
- while (isdigit(*src))
+ while (*length > 0 && isdigit(*src))
{
src++;
(*length)--;
--
2.34.1

211
meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-0005.patch Normal file
View File

@ -0,0 +1,211 @@
From 45f051239312e43bd4f92b9339fe67c6798a0321 Mon Sep 17 00:00:00 2001
From: Balazs Scheidler <bazsi77@gmail.com>
Date: Sat, 20 Aug 2022 12:43:42 +0200
Subject: [PATCH 5/8] timeutils: add tests for non-zero terminated inputs
CVE: CVE-2022-38725
Upstream-Status: Backport
[https://github.com/syslog-ng/syslog-ng/commit/45f051239312e43bd4f92b9339fe67c6798a0321]
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
lib/timeutils/tests/test_scan-timestamp.c | 126 +++++++++++++++++++---
1 file changed, 113 insertions(+), 13 deletions(-)
diff --git a/lib/timeutils/tests/test_scan-timestamp.c b/lib/timeutils/tests/test_scan-timestamp.c
index 27b76f12d..468bbf779 100644
--- a/lib/timeutils/tests/test_scan-timestamp.c
+++ b/lib/timeutils/tests/test_scan-timestamp.c
@@ -50,17 +50,21 @@ fake_time_add(time_t diff)
}
static gboolean
-_parse_rfc3164(const gchar *ts, gchar isotimestamp[32])
+_parse_rfc3164(const gchar *ts, gint len, gchar isotimestamp[32])
{
UnixTime stamp;
- const guchar *data = (const guchar *) ts;
- gint length = strlen(ts);
+ const guchar *tsu = (const guchar *) ts;
+ gint tsu_len = len < 0 ? strlen(ts) : len;
GString *result = g_string_new("");
WallClockTime wct = WALL_CLOCK_TIME_INIT;
-
+ const guchar *data = tsu;
+ gint length = tsu_len;
gboolean success = scan_rfc3164_timestamp(&data, &length, &wct);
+ cr_assert(length >= 0);
+ cr_assert(data == &tsu[tsu_len - length]);
+
unix_time_unset(&stamp);
convert_wall_clock_time_to_unix_time(&wct, &stamp);
@@ -71,16 +75,21 @@ _parse_rfc3164(const gchar *ts, gchar isotimestamp[32])
}
static gboolean
-_parse_rfc5424(const gchar *ts, gchar isotimestamp[32])
+_parse_rfc5424(const gchar *ts, gint len, gchar isotimestamp[32])
{
UnixTime stamp;
- const guchar *data = (const guchar *) ts;
- gint length = strlen(ts);
+ const guchar *tsu = (const guchar *) ts;
+ gint tsu_len = len < 0 ? strlen(ts) : len;
GString *result = g_string_new("");
WallClockTime wct = WALL_CLOCK_TIME_INIT;
+ const guchar *data = tsu;
+ gint length = tsu_len;
gboolean success = scan_rfc5424_timestamp(&data, &length, &wct);
+ cr_assert(length >= 0);
+ cr_assert(data == &tsu[tsu_len - length]);
+
unix_time_unset(&stamp);
convert_wall_clock_time_to_unix_time(&wct, &stamp);
@@ -91,31 +100,60 @@ _parse_rfc5424(const gchar *ts, gchar isotimestamp[32])
}
static gboolean
-_rfc3164_timestamp_eq(const gchar *ts, const gchar *expected, gchar converted[32])
+_rfc3164_timestamp_eq(const gchar *ts, gint len, const gchar *expected, gchar converted[32])
{
- cr_assert(_parse_rfc3164(ts, converted));
+ cr_assert(_parse_rfc3164(ts, len, converted));
return strcmp(converted, expected) == 0;
}
static gboolean
-_rfc5424_timestamp_eq(const gchar *ts, const gchar *expected, gchar converted[32])
+_rfc5424_timestamp_eq(const gchar *ts, gint len, const gchar *expected, gchar converted[32])
{
- cr_assert(_parse_rfc5424(ts, converted));
+ cr_assert(_parse_rfc5424(ts, len, converted));
return strcmp(converted, expected) == 0;
}
#define _expect_rfc3164_timestamp_eq(ts, expected) \
({ \
gchar converted[32]; \
- cr_expect(_rfc3164_timestamp_eq(ts, expected, converted), "Parsed RFC3164 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \
+ cr_expect(_rfc3164_timestamp_eq(ts, -1, expected, converted), "Parsed RFC3164 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \
+ })
+
+#define _expect_rfc3164_timestamp_len_eq(ts, len, expected) \
+ ({ \
+ gchar converted[32]; \
+ cr_expect(_rfc3164_timestamp_eq(ts, len, expected, converted), "Parsed RFC3164 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \
+ })
+
+#define _expect_rfc3164_fails(ts, len) \
+ ({ \
+ WallClockTime wct = WALL_CLOCK_TIME_INIT; \
+ const guchar *data = (guchar *) ts; \
+ gint length = len < 0 ? strlen(ts) : len; \
+ cr_assert_not(scan_rfc3164_timestamp(&data, &length, &wct)); \
})
#define _expect_rfc5424_timestamp_eq(ts, expected) \
({ \
gchar converted[32]; \
- cr_expect(_rfc5424_timestamp_eq(ts, expected, converted), "Parsed RFC5424 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \
+ cr_expect(_rfc5424_timestamp_eq(ts, -1, expected, converted), "Parsed RFC5424 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \
+ })
+
+#define _expect_rfc5424_timestamp_len_eq(ts, len, expected) \
+ ({ \
+ gchar converted[32]; \
+ cr_expect(_rfc5424_timestamp_eq(ts, len, expected, converted), "Parsed RFC5424 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \
+ })
+
+#define _expect_rfc5424_fails(ts, len) \
+ ({ \
+ WallClockTime wct = WALL_CLOCK_TIME_INIT; \
+ const guchar *data = (guchar *) ts; \
+ gint length = len < 0 ? strlen(ts) : len; \
+ cr_assert_not(scan_rfc5424_timestamp(&data, &length, &wct)); \
})
+
Test(parse_timestamp, standard_bsd_format)
{
_expect_rfc3164_timestamp_eq("Oct 1 17:46:12", "2017-10-01T17:46:12.000+02:00");
@@ -164,6 +202,68 @@ Test(parse_timestamp, standard_bsd_format_year_in_the_past)
_expect_rfc3164_timestamp_eq("Dec 31 17:46:12", "2017-12-31T17:46:12.000+01:00");
}
+Test(parse_timestamp, non_zero_terminated_rfc3164_iso_input_is_handled_properly)
+{
+ gchar *ts = "2022-08-17T05:02:28.417Z whatever";
+ gint ts_len = 24;
+
+ _expect_rfc3164_timestamp_len_eq(ts, strlen(ts), "2022-08-17T05:02:28.417+00:00");
+ _expect_rfc3164_timestamp_len_eq(ts, ts_len + 5, "2022-08-17T05:02:28.417+00:00");
+ _expect_rfc3164_timestamp_len_eq(ts, ts_len, "2022-08-17T05:02:28.417+00:00");
+
+ /* no "Z" parsed, timezone defaults to local, forced CET */
+ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 1, "2022-08-17T05:02:28.417+02:00");
+
+ /* msec is partially parsed as we trim the string from the right */
+ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 2, "2022-08-17T05:02:28.410+02:00");
+ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 3, "2022-08-17T05:02:28.400+02:00");
+ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 4, "2022-08-17T05:02:28.000+02:00");
+ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 5, "2022-08-17T05:02:28.000+02:00");
+
+ for (gint i = 6; i < ts_len; i++)
+ _expect_rfc3164_fails(ts, ts_len - i);
+
+}
+
+Test(parse_timestamp, non_zero_terminated_rfc3164_bsd_pix_or_asa_input_is_handled_properly)
+{
+ gchar *ts = "Aug 17 2022 05:02:28: whatever";
+ gint ts_len = 21;
+
+ _expect_rfc3164_timestamp_len_eq(ts, strlen(ts), "2022-08-17T05:02:28.000+02:00");
+ _expect_rfc3164_timestamp_len_eq(ts, ts_len + 5, "2022-08-17T05:02:28.000+02:00");
+ _expect_rfc3164_timestamp_len_eq(ts, ts_len, "2022-08-17T05:02:28.000+02:00");
+
+ /* no ":" at the end, that's a problem, unrecognized */
+ _expect_rfc3164_fails(ts, ts_len - 1);
+
+ for (gint i = 1; i < ts_len; i++)
+ _expect_rfc3164_fails(ts, ts_len - i);
+}
+
+Test(parse_timestamp, non_zero_terminated_rfc5424_input_is_handled_properly)
+{
+ gchar *ts = "2022-08-17T05:02:28.417Z whatever";
+ gint ts_len = 24;
+
+ _expect_rfc5424_timestamp_len_eq(ts, strlen(ts), "2022-08-17T05:02:28.417+00:00");
+ _expect_rfc5424_timestamp_len_eq(ts, ts_len + 5, "2022-08-17T05:02:28.417+00:00");
+ _expect_rfc5424_timestamp_len_eq(ts, ts_len, "2022-08-17T05:02:28.417+00:00");
+
+ /* no "Z" parsed, timezone defaults to local, forced CET */
+ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 1, "2022-08-17T05:02:28.417+02:00");
+
+ /* msec is partially parsed as we trim the string from the right */
+ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 2, "2022-08-17T05:02:28.410+02:00");
+ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 3, "2022-08-17T05:02:28.400+02:00");
+ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 4, "2022-08-17T05:02:28.000+02:00");
+ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 5, "2022-08-17T05:02:28.000+02:00");
+
+ for (gint i = 6; i < ts_len; i++)
+ _expect_rfc5424_fails(ts, ts_len - i);
+
+}
+
Test(parse_timestamp, daylight_saving_behavior_at_spring_with_explicit_timezones)
{
--
2.34.1

180
meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-0006.patch Normal file
View File

@ -0,0 +1,180 @@
From 09f489c89c826293ff8cbd282cfc866ab56054c4 Mon Sep 17 00:00:00 2001
From: Laszlo Varady <laszlo.varady@protonmail.com>
Date: Sat, 20 Aug 2022 14:29:43 +0200
Subject: [PATCH 6/8] timeutils: name repeating constant
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE: CVE-2022-38725
Upstream-Status: Backport
[https://github.com/syslog-ng/syslog-ng/commit/09f489c89c826293ff8cbd282cfc866ab56054c4]
Signed-off-by: László Várady <laszlo.varady@protonmail.com>
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
lib/timeutils/scan-timestamp.c | 54 ++++++++++++++++++----------------
1 file changed, 29 insertions(+), 25 deletions(-)
diff --git a/lib/timeutils/scan-timestamp.c b/lib/timeutils/scan-timestamp.c
index 4fbe94a36..d22d50973 100644
--- a/lib/timeutils/scan-timestamp.c
+++ b/lib/timeutils/scan-timestamp.c
@@ -34,41 +34,43 @@ scan_day_abbrev(const gchar **buf, gint *left, gint *wday)
{
*wday = -1;
- if (*left < 3)
+ const gsize abbrev_length = 3;
+
+ if (*left < abbrev_length)
return FALSE;
switch (**buf)
{
case 'S':
- if (strncasecmp(*buf, "Sun", 3) == 0)
+ if (strncasecmp(*buf, "Sun", abbrev_length) == 0)
*wday = 0;
- else if (strncasecmp(*buf, "Sat", 3) == 0)
+ else if (strncasecmp(*buf, "Sat", abbrev_length) == 0)
*wday = 6;
else
return FALSE;
break;
case 'M':
- if (strncasecmp(*buf, "Mon", 3) == 0)
+ if (strncasecmp(*buf, "Mon", abbrev_length) == 0)
*wday = 1;
else
return FALSE;
break;
case 'T':
- if (strncasecmp(*buf, "Tue", 3) == 0)
+ if (strncasecmp(*buf, "Tue", abbrev_length) == 0)
*wday = 2;
- else if (strncasecmp(*buf, "Thu", 3) == 0)
+ else if (strncasecmp(*buf, "Thu", abbrev_length) == 0)
*wday = 4;
else
return FALSE;
break;
case 'W':
- if (strncasecmp(*buf, "Wed", 3) == 0)
+ if (strncasecmp(*buf, "Wed", abbrev_length) == 0)
*wday = 3;
else
return FALSE;
break;
case 'F':
- if (strncasecmp(*buf, "Fri", 3) == 0)
+ if (strncasecmp(*buf, "Fri", abbrev_length) == 0)
*wday = 5;
else
return FALSE;
@@ -77,8 +79,8 @@ scan_day_abbrev(const gchar **buf, gint *left, gint *wday)
return FALSE;
}
- (*buf) += 3;
- (*left) -= 3;
+ (*buf) += abbrev_length;
+ (*left) -= abbrev_length;
return TRUE;
}
@@ -87,63 +89,65 @@ scan_month_abbrev(const gchar **buf, gint *left, gint *mon)
{
*mon = -1;
- if (*left < 3)
+ const gsize abbrev_length = 3;
+
+ if (*left < abbrev_length)
return FALSE;
switch (**buf)
{
case 'J':
- if (strncasecmp(*buf, "Jan", 3) == 0)
+ if (strncasecmp(*buf, "Jan", abbrev_length) == 0)
*mon = 0;
- else if (strncasecmp(*buf, "Jun", 3) == 0)
+ else if (strncasecmp(*buf, "Jun", abbrev_length) == 0)
*mon = 5;
- else if (strncasecmp(*buf, "Jul", 3) == 0)
+ else if (strncasecmp(*buf, "Jul", abbrev_length) == 0)
*mon = 6;
else
return FALSE;
break;
case 'F':
- if (strncasecmp(*buf, "Feb", 3) == 0)
+ if (strncasecmp(*buf, "Feb", abbrev_length) == 0)
*mon = 1;
else
return FALSE;
break;
case 'M':
- if (strncasecmp(*buf, "Mar", 3) == 0)
+ if (strncasecmp(*buf, "Mar", abbrev_length) == 0)
*mon = 2;
- else if (strncasecmp(*buf, "May", 3) == 0)
+ else if (strncasecmp(*buf, "May", abbrev_length) == 0)
*mon = 4;
else
return FALSE;
break;
case 'A':
- if (strncasecmp(*buf, "Apr", 3) == 0)
+ if (strncasecmp(*buf, "Apr", abbrev_length) == 0)
*mon = 3;
- else if (strncasecmp(*buf, "Aug", 3) == 0)
+ else if (strncasecmp(*buf, "Aug", abbrev_length) == 0)
*mon = 7;
else
return FALSE;
break;
case 'S':
- if (strncasecmp(*buf, "Sep", 3) == 0)
+ if (strncasecmp(*buf, "Sep", abbrev_length) == 0)
*mon = 8;
else
return FALSE;
break;
case 'O':
- if (strncasecmp(*buf, "Oct", 3) == 0)
+ if (strncasecmp(*buf, "Oct", abbrev_length) == 0)
*mon = 9;
else
return FALSE;
break;
case 'N':
- if (strncasecmp(*buf, "Nov", 3) == 0)
+ if (strncasecmp(*buf, "Nov", abbrev_length) == 0)
*mon = 10;
else
return FALSE;
break;
case 'D':
- if (strncasecmp(*buf, "Dec", 3) == 0)
+ if (strncasecmp(*buf, "Dec", abbrev_length) == 0)
*mon = 11;
else
return FALSE;
@@ -152,8 +156,8 @@ scan_month_abbrev(const gchar **buf, gint *left, gint *mon)
return FALSE;
}
- (*buf) += 3;
- (*left) -= 3;
+ (*buf) += abbrev_length;
+ (*left) -= abbrev_length;
return TRUE;
}
--
2.34.1

81
meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-0007.patch Normal file
View File

@ -0,0 +1,81 @@
From 8c6e2c1c41b0fcc5fbd464c35f4dac7102235396 Mon Sep 17 00:00:00 2001
From: Laszlo Varady <laszlo.varady@protonmail.com>
Date: Sat, 20 Aug 2022 14:30:22 +0200
Subject: [PATCH 7/8] timeutils: fix invalid calculation of ISO timestamp length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE: CVE-2022-38725
Upstream-Status: Backport
[https://github.com/syslog-ng/syslog-ng/commit/8c6e2c1c41b0fcc5fbd464c35f4dac7102235396]
Signed-off-by: László Várady <laszlo.varady@protonmail.com>
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
lib/timeutils/scan-timestamp.c | 8 ++++++--
lib/timeutils/tests/test_scan-timestamp.c | 7 +++++++
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/lib/timeutils/scan-timestamp.c b/lib/timeutils/scan-timestamp.c
index d22d50973..125264677 100644
--- a/lib/timeutils/scan-timestamp.c
+++ b/lib/timeutils/scan-timestamp.c
@@ -350,19 +350,21 @@ __parse_usec(const guchar **data, gint *length)
static gboolean
__has_iso_timezone(const guchar *src, gint length)
{
- return (length >= 5) &&
+ return (length >= 6) &&
(*src == '+' || *src == '-') &&
isdigit(*(src+1)) &&
isdigit(*(src+2)) &&
*(src+3) == ':' &&
isdigit(*(src+4)) &&
isdigit(*(src+5)) &&
- !isdigit(*(src+6));
+ (length < 7 || !isdigit(*(src+6)));
}
static guint32
__parse_iso_timezone(const guchar **data, gint *length)
{
+ g_assert(*length >= 6);
+
gint hours, mins;
const guchar *src = *data;
guint32 tz = 0;
@@ -372,8 +374,10 @@ __parse_iso_timezone(const guchar **data, gint *length)
hours = (*(src + 1) - '0') * 10 + *(src + 2) - '0';
mins = (*(src + 4) - '0') * 10 + *(src + 5) - '0';
tz = sign * (hours * 3600 + mins * 60);
+
src += 6;
(*length) -= 6;
+
*data = src;
return tz;
}
diff --git a/lib/timeutils/tests/test_scan-timestamp.c b/lib/timeutils/tests/test_scan-timestamp.c
index 468bbf779..d18bdc65d 100644
--- a/lib/timeutils/tests/test_scan-timestamp.c
+++ b/lib/timeutils/tests/test_scan-timestamp.c
@@ -264,6 +264,13 @@ Test(parse_timestamp, non_zero_terminated_rfc5424_input_is_handled_properly)
}
+Test(parse_timestamp, non_zero_terminated_rfc5424_timestamp_only)
+{
+ const gchar *ts = "2022-08-17T05:02:28.417+03:00";
+ gint ts_len = strlen(ts);
+ _expect_rfc5424_timestamp_len_eq(ts, ts_len, ts);
+}
+
Test(parse_timestamp, daylight_saving_behavior_at_spring_with_explicit_timezones)
{
--
2.34.1

45
meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-0008.patch Normal file
View File

@ -0,0 +1,45 @@
From 56f881c5eaa3d8c02c96607c4b9e4eaf959a044d Mon Sep 17 00:00:00 2001
From: Laszlo Varady <laszlo.varady@protonmail.com>
Date: Sat, 20 Aug 2022 14:30:51 +0200
Subject: [PATCH 8/8/] timeutils: fix out-of-bounds reading of data buffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE: CVE-2022-38725
Upstream-Status: Backport
[https://github.com/syslog-ng/syslog-ng/commit/56f881c5eaa3d8c02c96607c4b9e4eaf959a044d]
Signed-off-by: László Várady <laszlo.varady@protonmail.com>
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
lib/timeutils/scan-timestamp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/timeutils/scan-timestamp.c b/lib/timeutils/scan-timestamp.c
index 125264677..c00d8e6a9 100644
--- a/lib/timeutils/scan-timestamp.c
+++ b/lib/timeutils/scan-timestamp.c
@@ -431,7 +431,7 @@ __parse_bsd_timestamp(const guchar **data, gint *length, WallClockTime *wct)
if (!scan_pix_timestamp((const gchar **) &src, &left, wct))
return FALSE;
- if (*src == ':')
+ if (left && *src == ':')
{
src++;
left--;
@@ -482,7 +482,7 @@ scan_rfc3164_timestamp(const guchar **data, gint *length, WallClockTime *wct)
* looking at you, skip that as well, so we can reliably detect IPv6
* addresses as hostnames, which would be using ":" as well. */
- if (*src == ':')
+ if (left && *src == ':')
{
++src;
--left;
--
2.34.1

8
meta-oe/recipes-support/syslog-ng/syslog-ng_3.36.1.bb
View File

@ -22,6 +22,14 @@ SRC_URI = "https://github.com/balabit/syslog-ng/releases/download/${BP}/${BP}.ta
file://volatiles.03_syslog-ng \
file://syslog-ng-tmp.conf \
file://syslog-ng.service-the-syslog-ng-service.patch \
file://CVE-2022-38725-0001.patch \
file://CVE-2022-38725-0002.patch \
file://CVE-2022-38725-0003.patch \
file://CVE-2022-38725-0004.patch \
file://CVE-2022-38725-0005.patch \
file://CVE-2022-38725-0006.patch \
file://CVE-2022-38725-0007.patch \
file://CVE-2022-38725-0008.patch \
"
SRC_URI[sha256sum] = "90a25c9767fe749db50f118ddfc92ec71399763d2ecd5ad4f11ff5eea049e60b"