diff options
| author |   Lars Wendler <polynomial-c@gentoo.org> | 2014-10-04 09:21:57 +0000 |
|---|---|---|
| committer | Lars Wendler <polynomial-c@gentoo.org> | 2014-10-04 09:21:57 +0000 |
| commit | b689b614915c705e58aada9dda5354ddccd66cff (patch) | |
| tree | 69a20de441a33feaa3b8a854830375b7a5fb7806 /app-admin | |
| parent | remove some old (diff) | |
| download | gentoo-2-b689b614915c705e58aada9dda5354ddccd66cff.tar.gz gentoo-2-b689b614915c705e58aada9dda5354ddccd66cff.tar.bz2 gentoo-2-b689b614915c705e58aada9dda5354ddccd66cff.zip | |
Security bump (bug #524058). Remote syslog PRI vulnerability (CVE-2014-3634). Removed old
(Portage version: 2.2.14_rc1/cvs/Linux x86_64, signed Manifest commit with key 0x981CA6FC)
Diffstat (limited to 'app-admin')
| -rw-r--r-- | app-admin/sysklogd/ChangeLog | 10 | ||||
| -rw-r--r-- | app-admin/sysklogd/files/sysklogd-1.5_CVE-2014-3634.diff | 91 | ||||
| -rw-r--r-- | app-admin/sysklogd/sysklogd-1.5-r4.ebuild (renamed from app-admin/sysklogd/sysklogd-1.5-r1.ebuild) | 43 | ||||
| -rw-r--r-- | app-admin/sysklogd/sysklogd-1.5.ebuild | 55 |
4 files changed, 125 insertions, 74 deletions
diff --git a/app-admin/sysklogd/ChangeLog b/app-admin/sysklogd/ChangeLog index b5bd52bbb37b..7d102fdf4a22 100644 --- a/app-admin/sysklogd/ChangeLog +++ b/app-admin/sysklogd/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for app-admin/sysklogd # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-admin/sysklogd/ChangeLog,v 1.89 2014/09/26 19:40:47 axs Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-admin/sysklogd/ChangeLog,v 1.90 2014/10/04 09:21:57 polynomial-c Exp $ + +*sysklogd-1.5-r4 (04 Oct 2014) + + 04 Oct 2014; Lars Wendler <polynomial-c@gentoo.org> -sysklogd-1.5.ebuild, + -sysklogd-1.5-r1.ebuild, +sysklogd-1.5-r4.ebuild, + +files/sysklogd-1.5_CVE-2014-3634.diff: + Security bump (bug #524058). Remote syslog PRI vulnerability (CVE-2014-3634). + Removed old. 26 Sep 2014; Ian Stakenvicius (_AxS_) <axs@gentoo.org> +files/sysklogd-1.5-debian-cron.patch: diff --git a/app-admin/sysklogd/files/sysklogd-1.5_CVE-2014-3634.diff b/app-admin/sysklogd/files/sysklogd-1.5_CVE-2014-3634.diff new file mode 100644 index 000000000000..bc64756f1854 --- /dev/null +++ b/app-admin/sysklogd/files/sysklogd-1.5_CVE-2014-3634.diff @@ -0,0 +1,91 @@ +From 43797330e75d7d4687b7ae6926a996c3c85c2679 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1 AT zoho DOT com> +Date: Wed, 1 Oct 2014 +Subject: CVE-2014-3634 + +Rainer Gerhards, rsyslog project leader, discovered an issue in rsyslogd +where invalid priority values can trigger DoS and potentially RCE. + +As his analysis reveals, the cause of the problem identified in rsyslog's +rsyslogd also exists in sysklogd's syslogd (from which rsyslogd was forked) +and stems from the use of a (LOG_FACMASK|LOG_PRIMASK) mask to detect invalid +priority values. + +In sysklogd's syslogd, invalid priority values between 192 and 1023 (directly +or arrived at via overflow wraparound) can propagate through code causing +out-of-bounds access to the f_pmask array within the 'filed' structure by up +to 104 bytes past its end. Though most likely insufficient to reach +unallocated memory because there are around 544 bytes past f_pmask in 'filed' +(mod packing and other differences), incorrect access of fields at higher +positions of the 'filed' structure definition can cause unexpected behavior +including message mis-classification, forwarding issues, message loss, +or other. + +This patch imposes a restriction on PRI message parts and requires they +be properly-delimited priority value strings that have non-negative +numerical values not exceeding 191. As before, sysklogd's syslogd permits +zero padding to not break compatibility with RFC-non-compliant loggers that +issue PRIs such as <0091>. Messages without well-formed PRI parts get +logged with priority user.notice (13). (c.f. RFC 3164) + +Thanks to Rainer Gerhards for the initial report and analysis. + +[1] http://www.rsyslog.com/remote-syslog-pri-vulnerability/ +[2] http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/ + +--- + syslogd.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/syslogd.c ++++ b/syslogd.c +@@ -632,6 +632,8 @@ int funix[MAXFUNIX] = { -1, }; + #define TABLE_ALLPRI 0xFF /* Value to indicate all priorities in f_pmask */ + #define LOG_MARK LOG_MAKEPRI(LOG_NFACILITIES, 0) /* mark "facility" */ + ++#define MAX_PRI 191 /* Maximum Priority per RFC 3164 */ ++ + /* + * Flags to logmsg(). + */ +@@ -1491,23 +1493,34 @@ void printline(hname, msg) + register char *p, *q; + register unsigned char c; + char line[MAXLINE + 1]; +- int pri; ++ unsigned int pri; // Valid Priority values are 0-191 ++ int prilen=0; // Track Priority value string len ++ int msglen; + + /* test for special codes */ ++ msglen=strlen(msg); + pri = DEFUPRI; + p = msg; + + if (*p == '<') { + pri = 0; +- while (isdigit(*++p)) +- { +- pri = 10 * pri + (*p - '0'); ++ while (--msglen > 0 && isdigit((unsigned char)*++p) && ++ pri <= MAX_PRI) { ++ pri = 10 * pri + (*p - '0'); ++ prilen++; + } +- if (*p == '>') ++ if (*p == '>' && prilen) + ++p; ++ else { ++ pri = DEFUPRI; ++ p = msg; ++ } + } +- if (pri &~ (LOG_FACMASK|LOG_PRIMASK)) ++ ++ if ((pri &~ (LOG_FACMASK|LOG_PRIMASK)) || (pri > MAX_PRI)) { + pri = DEFUPRI; ++ p = msg; ++ } + + memset (line, 0, sizeof(line)); + q = line; diff --git a/app-admin/sysklogd/sysklogd-1.5-r1.ebuild b/app-admin/sysklogd/sysklogd-1.5-r4.ebuild index f7e9a617cba1..0ece02bd7349 100644 --- a/app-admin/sysklogd/sysklogd-1.5-r1.ebuild +++ b/app-admin/sysklogd/sysklogd-1.5-r4.ebuild @@ -1,6 +1,8 @@ -# Copyright 1999-2011 Gentoo Foundation +# Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-admin/sysklogd/sysklogd-1.5-r1.ebuild,v 1.2 2011/04/07 07:51:22 ultrabug Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-admin/sysklogd/sysklogd-1.5-r4.ebuild,v 1.1 2014/10/04 09:21:57 polynomial-c Exp $ + +EAPI="4" inherit eutils flag-o-matic toolchain-funcs @@ -12,18 +14,19 @@ SRC_URI="http://www.infodrom.org/projects/sysklogd/download/${P}.tar.gz LICENSE="BSD" SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" -IUSE="" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +IUSE="logrotate" RESTRICT="test" DEPEND="" RDEPEND="dev-lang/perl sys-apps/debianutils" -src_unpack() { - unpack ${A} +src_prepare() { + pushd "${WORKDIR}" >/dev/null epatch "${WORKDIR}"/${PN}_${PV}-${DEB_VER}.diff - cd "${S}" + popd >/dev/null + epatch "${FILESDIR}"/${P}-debian-cron.patch epatch "${FILESDIR}"/${P}-build.patch @@ -33,25 +36,29 @@ src_unpack() { epatch "${FILESDIR}"/${PN}-1.4.2-caen-owl-klogd-drop-root.diff epatch "${FILESDIR}"/${P}-syslog-func-collision.patch #342601 - - append-lfs-flags + epatch "${FILESDIR}"/${P}_CVE-2014-3634.diff #524058 } -src_compile() { +src_configure() { + append-lfs-flags tc-export CC - emake || die } src_install() { - dosbin syslogd klogd debian/syslog-facility debian/syslogd-listfiles || die "dosbin" + dosbin syslogd klogd debian/syslog-facility debian/syslogd-listfiles doman *.[1-9] debian/syslogd-listfiles.8 insinto /etc - doins debian/syslog.conf || die - exeinto /etc/cron.daily - newexe debian/cron.daily syslog || die - exeinto /etc/cron.weekly - newexe debian/cron.weekly syslog || die + doins debian/syslog.conf + if use logrotate ; then + insinto /etc/logrotate.d + newins "${FILESDIR}"/sysklogd.logrotate sysklogd + else + exeinto /etc/cron.daily + newexe debian/cron.daily syslog + exeinto /etc/cron.weekly + newexe debian/cron.weekly syslog + fi dodoc ANNOUNCE CHANGES NEWS README.1st README.linux - newinitd "${FILESDIR}"/sysklogd.rc6 sysklogd + newinitd "${FILESDIR}"/sysklogd.rc7 sysklogd newconfd "${FILESDIR}"/sysklogd.confd sysklogd } diff --git a/app-admin/sysklogd/sysklogd-1.5.ebuild b/app-admin/sysklogd/sysklogd-1.5.ebuild deleted file mode 100644 index f858caab1bd7..000000000000 --- a/app-admin/sysklogd/sysklogd-1.5.ebuild +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright 1999-2011 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-admin/sysklogd/sysklogd-1.5.ebuild,v 1.2 2011/04/07 07:51:22 ultrabug Exp $ - -inherit eutils flag-o-matic toolchain-funcs - -DEB_VER="3" -DESCRIPTION="Standard log daemons" -HOMEPAGE="http://www.infodrom.org/projects/sysklogd/" -SRC_URI="http://www.infodrom.org/projects/sysklogd/download/${P}.tar.gz - mirror://debian/pool/main/s/sysklogd/${PN}_${PV}-${DEB_VER}.diff.gz" - -LICENSE="BSD" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" -IUSE="" -RESTRICT="test" - -DEPEND="" -RDEPEND="dev-lang/perl - sys-apps/debianutils" - -src_unpack() { - unpack ${A} - epatch "${WORKDIR}"/${PN}_${PV}-${DEB_VER}.diff - cd "${S}" - epatch "${FILESDIR}"/${P}-debian-cron.patch - epatch "${FILESDIR}"/${P}-build.patch - - # CAEN/OWL security patches - epatch "${FILESDIR}"/${PN}-1.4.2-caen-owl-syslogd-bind.diff - epatch "${FILESDIR}"/${PN}-1.4.2-caen-owl-syslogd-drop-root.diff - epatch "${FILESDIR}"/${PN}-1.4.2-caen-owl-klogd-drop-root.diff - - append-lfs-flags -} - -src_compile() { - tc-export CC - emake || die -} - -src_install() { - dosbin syslogd klogd debian/syslog-facility debian/syslogd-listfiles || die "dosbin" - doman *.[1-9] debian/syslogd-listfiles.8 - insinto /etc - doins debian/syslog.conf || die - exeinto /etc/cron.daily - newexe debian/cron.daily syslog || die - exeinto /etc/cron.weekly - newexe debian/cron.weekly syslog || die - dodoc ANNOUNCE CHANGES NEWS README.1st README.linux - newinitd "${FILESDIR}"/sysklogd.rc6 sysklogd - newconfd "${FILESDIR}"/sysklogd.confd sysklogd -} |