Bug 23439

Summary: rsyslog new security issue rhbz#1582624
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, geiger.david68210, marja11, mhrambo3501, smelror, sysadmin-bugs, warrendiogenese
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: rsyslog-8.34.0-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-08-13 23:25:00 CEST 
Fedora has issued an advisory on August 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OUMCAI6AR6Y7QYDY4WNTRCRVKY7PCM53/

The security bug is this one, which links to the upstream fix:
https://bugzilla.redhat.com/show_bug.cgi?id=1582624

It was fixed upstream in 8.35.0.

Mageia 5 and Mageia 6 are likely also affected.
David Walser 2018-08-13 23:25:11 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-16 12:20:46 CEST 
Assigning to all packagers collectively, since the registered maintainer for this package is likely still unavailable.

CC'ing the registered maintainer and two recent committers,

CC: (none) => geiger.david68210, marja11, smelror, warrendiogenese
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2018-09-21 18:32:54 CEST 
No longer applicable to cauldron as it has been updated to 8.38.0 and Mageia 5 is officially EOL.

Patched package uploaded for Mageia 6.

Advisory:
========================

Updated rsyslogd package fixes security vulnerability:

A buffer overflow was found in the SanitizeMsg() function of rsyslogd (in runtime/parser.c) which may cause a denial of service or other consequences.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1582624
https://github.com/rsyslog/rsyslog/commit/20f8237870eb5e971fa068e4dd4d296f1dbef329
========================

Updated packages in core/updates_testing:
========================
rsyslog-8.16.0-1.1.mga6
rsyslog-crypto-8.16.0-1.1.mga6
rsyslog-dbi-8.16.0-1.1.mga6
rsyslog-debuginfo-8.16.0-1.1.mga6
rsyslog-elasticsearch-8.16.0-1.1.mga6
rsyslog-gnutls-8.16.0-1.1.mga6
rsyslog-gssapi-8.16.0-1.1.mga6
rsyslog-journald-8.16.0-1.1.mga6
rsyslog-mysql-8.16.0-1.1.mga6
rsyslog-pgsql-8.16.0-1.1.mga6
rsyslog-relp-8.16.0-1.1.mga6
rsyslog-snmp-8.16.0-1.1.mga6

from rsyslog-8.16.0-1.1.mga6.src.rpm


Test procedure https://bugs.mageia.org/show_bug.cgi?id=14206#c2

Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Keywords: (none) => has_procedure
CC: (none) => mrambo

Comment 3 Dave Hodgins 2018-09-26 19:33:19 CEST 
Tested on Mageia 6 x86_64 ok. Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Mageia Robot 2018-09-27 09:25:35 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0392.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED