From 6a62e0e0f4642841f3956fe2977f9d57766c2f2b Mon Sep 17 00:00:00 2001 From: Brad Bishop Date: Mon, 21 Oct 2019 08:11:42 -0400 Subject: meta-openembedded: subtree update:1bfaa2e63a..64224b92e5 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adrian Bunk (1): networkmanager: Upgrade 1.18.2 -> 1.18.4 Alistair Francis (5): mycroft: Bump to 19.8.1 mycroft: Run the files from /var python3-monotonic: Initial commit of version 1.5 python3-msk: Initial commit of version 0.3.13 python3-google-api-python-client: Initial commit of 1.7.11 Andreas Müller (3): exiv2: initial add 0.27.1 menulibre: upgrade 2.2.0 -> 2.2.1 libmbim: upgrade 1.18.0 -> 1.20.0 Callaghan, Dan (1): strongswan: add a PACKAGECONFIG for libbfd stack traces Changqing Li (1): kea: fix kea-dhcp4.service/kea-dhcp6.service start up failed Christophe PRIOUZEAU (14): xfce4-mpc-plugin: Clarify BSD license variant xfce4-diskperf-plugin: Clarify BSD license variant xfce4-wavelan-plugin: Clarify BSD license variant libmpdclient: Clarify BSD license variant tremor: Clarify BSD license variant xscreensaver: Clarify BSD license variant openjpeg: Clarify BSD license variant sdparm: Clarify BSD license variant onig: Clarify BSD license variant libssh2: Clarify BSD license variant libsmi: Clarify BSD license variant libinih: Clarify BSD license variant gperftools: Clarify BSD license variant daemonize: Clarify BSD license variant Fabio Berton (1): ifplugd: Add recipe for version 0.28 George Kiagiadakis (1): pipewire: Initial add of 0.2.7 Hongxu Jia (1): lvm2/libdevmapper: 2.03.02 -> 2.03.05 Khem Raj (4): wvstreams,wvdial: Mark incompatible for musl pidgin-sipe: Upgrade to 1.25.0 dconf: Upgrade to 0.34.0 libsmi: Fix and operator per SPDX Martin Siegumfeldt (3): Revert "libiio: fix build of python bindins" libiio: allow python3 bindings to be built libiio: bump to version 0.18+ Stefan Wiehler (1): nvme-cli: defer host ID generation to post installation Tekkub (1): nlohmann-fifo: Add recipe Trevor Gamblin (2): rsyslog: fix CVE-2019-17041 quagga: fix PIDFile path for service files Yi Zhao (2): freeradius: fix CVE-2019-10143 ipvsadm: install initscript to /etc/init.d Zang Ruochen (9): python-paste: upgrade 3.2.1 -> 3.2.2 python-pip: upgrade 19.2.3 -> 19.3 python-pyasn1-modules: upgrade 0.2.6 -> 0.2.7 python-pytest: upgrade 5.1.3 -> 5.2.1 python-pytz: upgrade 2019.2 -> 2019.3 python-xxhash: upgrade 1.4.1 -> 1.4.2 python-cffi: upgrade 1.12.3 -> 1.13.0 python-jsonschema: upgrade 3.0.2 -> 3.1.1 protobuf: upgrade 3.9.2 -> 3.10.0 Change-Id: I72806dd6bfe6427787917f687d058c6ced02a00c Signed-off-by: Brad Bishop --- ...rwardedfrom-bugfix-potential-misadressing.patch | 43 ++++++++++++++++++++++ .../recipes-extended/rsyslog/rsyslog_8.1908.0.bb | 1 + 2 files changed, 44 insertions(+) create mode 100644 meta-openembedded/meta-oe/recipes-extended/rsyslog/rsyslog/0001-pmaixforwardedfrom-bugfix-potential-misadressing.patch (limited to 'meta-openembedded/meta-oe/recipes-extended') diff --git a/meta-openembedded/meta-oe/recipes-extended/rsyslog/rsyslog/0001-pmaixforwardedfrom-bugfix-potential-misadressing.patch b/meta-openembedded/meta-oe/recipes-extended/rsyslog/rsyslog/0001-pmaixforwardedfrom-bugfix-potential-misadressing.patch new file mode 100644 index 000000000..0b32766a5 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-extended/rsyslog/rsyslog/0001-pmaixforwardedfrom-bugfix-potential-misadressing.patch @@ -0,0 +1,43 @@ +From 10549ba915556c557b22b3dac7e4cb73ad22d3d8 Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards +Date: Fri, 27 Sep 2019 13:36:02 +0200 +Subject: [PATCH] pmaixforwardedfrom bugfix: potential misadressing + +--- + contrib/pmaixforwardedfrom/pmaixforwardedfrom.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +Upstream-Status: Backport [https://github.com/rsyslog/rsyslog/pull/3884] +CVE: CVE-2019-17041 +Signed-off-by: Trevor Gamblin + +diff --git a/contrib/pmaixforwardedfrom/pmaixforwardedfrom.c b/contrib/pmaixforwardedfrom/pmaixforwardedfrom.c +index 37157c7d4..ebf12ebbe 100644 +--- a/contrib/pmaixforwardedfrom/pmaixforwardedfrom.c ++++ b/contrib/pmaixforwardedfrom/pmaixforwardedfrom.c +@@ -109,6 +109,10 @@ CODESTARTparse + /* bump the message portion up by skipLen(23 or 5) characters to overwrite the "Message forwarded from + " or "From " with the hostname */ + lenMsg -=skipLen; ++ if(lenMsg < 2) { ++ dbgprintf("not a AIX message forwarded from message has nothing after header\n"); ++ ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE); ++ } + memmove(p2parse, p2parse + skipLen, lenMsg); + *(p2parse + lenMsg) = '\n'; + *(p2parse + lenMsg + 1) = '\0'; +@@ -120,6 +124,11 @@ really an AIX log, but has a similar preamble */ + --lenMsg; + ++p2parse; + } ++ if (lenMsg < 1) { ++ dbgprintf("not a AIX message forwarded from message has nothing after colon " ++ "or no colon at all\n"); ++ ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE); ++ } + if (lenMsg && *p2parse != ':') { + DBGPRINTF("not a AIX message forwarded from mangled log but similar enough that the preamble has " + "been removed\n"); +-- +2.17.1 + diff --git a/meta-openembedded/meta-oe/recipes-extended/rsyslog/rsyslog_8.1908.0.bb b/meta-openembedded/meta-oe/recipes-extended/rsyslog/rsyslog_8.1908.0.bb index bd0dbc1a2..f9e44421d 100644 --- a/meta-openembedded/meta-oe/recipes-extended/rsyslog/rsyslog_8.1908.0.bb +++ b/meta-openembedded/meta-oe/recipes-extended/rsyslog/rsyslog_8.1908.0.bb @@ -24,6 +24,7 @@ SRC_URI = "http://www.rsyslog.com/download/files/download/rsyslog/${BPN}-${PV}.t file://use-pkgconfig-to-check-libgcrypt.patch \ file://run-ptest \ file://0001-Out-of-bounds-issue.patch \ + file://0001-pmaixforwardedfrom-bugfix-potential-misadressing.patch \ " SRC_URI_append_libc-musl = " \ -- cgit v1.2.3