23439 – rsyslog new security issue rhbz#1582624

Bug 23439 - rsyslog new security issue rhbz#1582624

Summary: rsyslog new security issue rhbz#1582624

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-64-OK
Keywords:	advisory, has_procedure, validated_update

Depends on:
Blocks:

Reported:	2018-08-13 23:25 CEST by David Walser
Modified:	2018-09-27 09:25 CEST (History)
CC List:	7 users (show)

See Also:
Source RPM:	rsyslog-8.34.0-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-08-13 23:25:00 CEST

Fedora has issued an advisory on August 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OUMCAI6AR6Y7QYDY4WNTRCRVKY7PCM53/

The security bug is this one, which links to the upstream fix:
https://bugzilla.redhat.com/show_bug.cgi?id=1582624

It was fixed upstream in 8.35.0.

Mageia 5 and Mageia 6 are likely also affected.

David Walser 2018-08-13 23:25:11 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-16 12:20:46 CEST

Assigning to all packagers collectively, since the registered maintainer for this package is likely still unavailable.

CC'ing the registered maintainer and two recent committers,

CC: (none) => geiger.david68210, marja11, smelror, warrendiogenese
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2018-09-21 18:32:54 CEST

No longer applicable to cauldron as it has been updated to 8.38.0 and Mageia 5 is officially EOL.

Patched package uploaded for Mageia 6.

Advisory:
========================

Updated rsyslogd package fixes security vulnerability:

A buffer overflow was found in the SanitizeMsg() function of rsyslogd (in runtime/parser.c) which may cause a denial of service or other consequences.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1582624
https://github.com/rsyslog/rsyslog/commit/20f8237870eb5e971fa068e4dd4d296f1dbef329
========================

Updated packages in core/updates_testing:
========================
rsyslog-8.16.0-1.1.mga6
rsyslog-crypto-8.16.0-1.1.mga6
rsyslog-dbi-8.16.0-1.1.mga6
rsyslog-debuginfo-8.16.0-1.1.mga6
rsyslog-elasticsearch-8.16.0-1.1.mga6
rsyslog-gnutls-8.16.0-1.1.mga6
rsyslog-gssapi-8.16.0-1.1.mga6
rsyslog-journald-8.16.0-1.1.mga6
rsyslog-mysql-8.16.0-1.1.mga6
rsyslog-pgsql-8.16.0-1.1.mga6
rsyslog-relp-8.16.0-1.1.mga6
rsyslog-snmp-8.16.0-1.1.mga6

from rsyslog-8.16.0-1.1.mga6.src.rpm


Test procedure https://bugs.mageia.org/show_bug.cgi?id=14206#c2

Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Keywords: (none) => has_procedure
CC: (none) => mrambo

Comment 3 Dave Hodgins 2018-09-26 19:33:19 CEST

Tested on Mageia 6 x86_64 ok. Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Mageia Robot 2018-09-27 09:25:35 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0392.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.