Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. RSyslog>
  3. users
On a (recently fixed?) CVE-2022-24903
rsyslog at lists
May 13, 2022, 6:05 AM
Post #1 of 4 (439 views)
Permalink
Hello,

could someone please explain what (potential) buffer overrun is actually fixed by an upstream commit
f211042ecbb472f9d8beb4678a65d272b6f07705? AFAICS both 'isValidHexNum()' and 'syntax_ipv6()' just parses
the buffers passed in but seems doesn't _fill_ anything...

Thanks,
Dmitry
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: On a (recently fixed?) CVE-2022-24903 [ In reply to ]
rsyslog at lists
May 13, 2022, 10:54 AM
Post #2 of 4 (438 views)
Permalink
Full info:
https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8

You seem to mix up two different things.

HTH
Rainer

Sent from phone, thus brief.

Dmitry Antipov via rsyslog <rsyslog@lists.adiscon.com> schrieb am Fr., 13.
Mai 2022, 15:05:

> Hello,
>
> could someone please explain what (potential) buffer overrun is actually
> fixed by an upstream commit
> f211042ecbb472f9d8beb4678a65d272b6f07705? AFAICS both 'isValidHexNum()'
> and 'syntax_ipv6()' just parses
> the buffers passed in but seems doesn't _fill_ anything...
>
> Thanks,
> Dmitry
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: On a (recently fixed?) CVE-2022-24903 [ In reply to ]
rsyslog at lists
May 13, 2022, 11:21 AM
Post #3 of 4 (438 views)
Permalink
On 5/13/22 20:54, Rainer Gerhards wrote:

> Full info: https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8

I've read this carefully. This document explicitly states:

"While there is a check for the maximum number of octets, digits are written to a heap buffer
even when the octet count is over the maximum, This can be used to overrun the memory buffer".

So the question is: if an upstream commit f211042ecbb472f9d8beb4678a65d272b6f07705 really
fixes this issue, what particular buffer the sentence above is about? As shown by
'git show f211042ecbb472f9d8beb4678a65d272b6f07705 --diff-merges=on', this is a merge
commit of two (excluding tests and docs) unrelated pieces - 'prctl()' quirk to set the thread
name and adjustments to 'isValidHexNum()' and 'syntax_ipv6(). The both of the latter doesn't
write any buffers.

Am I missing something?

Thanks,
Dmitry
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: On a (recently fixed?) CVE-2022-24903 [ In reply to ]
rsyslog at lists
May 13, 2022, 12:09 PM
Post #4 of 4 (438 views)
Permalink
Ah!

It looks like GitHub has dropped the actual fix from the advisory because
it was merged to a different branch during the embargo period and later
merged into the master branch.

https://github.com/rsyslog/rsyslog/commit/89955b0bcb1ff105e1374aad7e0e993faa6a038f

I'll explicitly add it to the advisory tomorrow.

Rainer

Sent from phone, thus brief.

Dmitry Antipov <dantipov@cloudlinux.com> schrieb am Fr., 13. Mai 2022,
20:21:

> On 5/13/22 20:54, Rainer Gerhards wrote:
>
> > Full info:
> https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8
>
> I've read this carefully. This document explicitly states:
>
> "While there is a check for the maximum number of octets, digits are
> written to a heap buffer
> even when the octet count is over the maximum, This can be used to overrun
> the memory buffer".
>
> So the question is: if an upstream commit
> f211042ecbb472f9d8beb4678a65d272b6f07705 really
> fixes this issue, what particular buffer the sentence above is about? As
> shown by
> 'git show f211042ecbb472f9d8beb4678a65d272b6f07705 --diff-merges=on', this
> is a merge
> commit of two (excluding tests and docs) unrelated pieces - 'prctl()'
> quirk to set the thread
> name and adjustments to 'isValidHexNum()' and 'syntax_ipv6(). The both of
> the latter doesn't
> write any buffers.
>
> Am I missing something?
>
> Thanks,
> Dmitry
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal