[Buildroot] [PATCHv2] rsyslog: security bump to version 7.6.6

All of lore.kernel.org
 help / color / mirror / Atom feed

* [Buildroot] [PATCHv2] rsyslog: security bump to version 7.6.6
@ 2014-10-01 13:23 Gustavo Zacarias
  2014-10-01 13:42 ` Vicente Olivert Riera
  2014-10-01 13:57 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Gustavo Zacarias @ 2014-10-01 13:23 UTC (permalink / raw)
  To: buildroot

Fixes CVE-2014-3634 - potential abort when a message with PRI > 191 was
processed if the "pri-text" property was used in active templates, this
could be abused to a remote denial of service from permitted senders.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
 package/rsyslog/rsyslog-0001-revert-strdup.patch | 27 ++++++++++++++++++++++++
 package/rsyslog/rsyslog.hash                     |  4 ++--
 package/rsyslog/rsyslog.mk                       |  5 +++--
 3 files changed, 32 insertions(+), 4 deletions(-)
 create mode 100644 package/rsyslog/rsyslog-0001-revert-strdup.patch

diff --git a/package/rsyslog/rsyslog-0001-revert-strdup.patch b/package/rsyslog/rsyslog-0001-revert-strdup.patch
new file mode 100644
index 0000000..5e82018
--- /dev/null
+++ b/package/rsyslog/rsyslog-0001-revert-strdup.patch
@@ -0,0 +1,27 @@
+Revert upstream 0403361ac57082dc47840d1f31832f1a0e319078
+It breaks the build when it's defined.
+
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+
+diff -Nura rsyslog-7.6.6.orig/grammar/lexer.c rsyslog-7.6.6/grammar/lexer.c
+--- rsyslog-7.6.6.orig/grammar/lexer.c	2014-10-01 10:12:34.960082719 -0300
++++ rsyslog-7.6.6/grammar/lexer.c	2014-10-01 10:13:24.512769964 -0300
+@@ -1459,7 +1459,6 @@
+ #line 32 "lexer.l"
+ #include "config.h"
+ #include "parserif.h"
+-extern char *strdup(char*); /* somehow we do not get this from string.h... */
+ /*%option noyywrap nodefault case-insensitive */
+ /* avoid compiler warning: `yyunput' defined but not used */
+ #define YY_NO_INPUT 1
+diff -Nura rsyslog-7.6.6.orig/grammar/lexer.l rsyslog-7.6.6/grammar/lexer.l
+--- rsyslog-7.6.6.orig/grammar/lexer.l	2014-10-01 10:12:34.960082719 -0300
++++ rsyslog-7.6.6/grammar/lexer.l	2014-10-01 10:13:41.935363172 -0300
+@@ -31,7 +31,6 @@
+ %{
+ #include "config.h"
+ #include "parserif.h"
+-extern char *strdup(char*); /* somehow we do not get this from string.h... */
+ %}
+ 
+ %option noyywrap nodefault case-insensitive yylineno
diff --git a/package/rsyslog/rsyslog.hash b/package/rsyslog/rsyslog.hash
index b47932a..afc75cc 100644
--- a/package/rsyslog/rsyslog.hash
+++ b/package/rsyslog/rsyslog.hash
@@ -1,2 +1,2 @@
-# From http://www.rsyslog.com/downloads/download-other/
-sha256	45bca1c1ffca6b8260363617897c09baeaf350e8b92c51361d2770375cdf4b34	rsyslog-7.6.5.tar.gz
+# From http://www.rsyslog.com/downloads/download-v7-stable/
+sha256	c77ae0db6204c5bd670fa96c354ee5fe1c62c876bd84ec06ed429138c78885bb	rsyslog-7.6.6.tar.gz
diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk
index 2ba4a9a..17fd13b 100644
--- a/package/rsyslog/rsyslog.mk
+++ b/package/rsyslog/rsyslog.mk
@@ -4,14 +4,15 @@
 #
 ################################################################################
 
-RSYSLOG_VERSION = 7.6.5
+RSYSLOG_VERSION = 7.6.6
 RSYSLOG_SITE = http://rsyslog.com/files/download/rsyslog
 RSYSLOG_LICENSE = GPLv3 LGPLv3 Apache-2.0
 RSYSLOG_LICENSE_FILES = COPYING COPYING.LESSER COPYING.ASL20
 RSYSLOG_DEPENDENCIES = zlib libestr liblogging json-c host-pkgconf
 
 RSYSLOG_CONF_OPT = --disable-testbench \
-		   --enable-cached-man-pages
+		   --enable-cached-man-pages \
+		   --disable-generate-man-pages
 
 # Build after BusyBox
 ifeq ($(BR2_PACKAGE_BUSYBOX),y)
-- 
2.0.4

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [Buildroot] [PATCHv2] rsyslog: security bump to version 7.6.6
  2014-10-01 13:23 [Buildroot] [PATCHv2] rsyslog: security bump to version 7.6.6 Gustavo Zacarias
@ 2014-10-01 13:42 ` Vicente Olivert Riera
  2014-10-01 13:57 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Vicente Olivert Riera @ 2014-10-01 13:42 UTC (permalink / raw)
  To: buildroot

Dear Gustavo Zacarias,

On 10/01/2014 02:23 PM, Gustavo Zacarias wrote:
> Fixes CVE-2014-3634 - potential abort when a message with PRI > 191 was
> processed if the "pri-text" property was used in active templates, this
> could be abused to a remote denial of service from permitted senders.
>
> Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
> ---
>   package/rsyslog/rsyslog-0001-revert-strdup.patch | 27 ++++++++++++++++++++++++
>   package/rsyslog/rsyslog.hash                     |  4 ++--
>   package/rsyslog/rsyslog.mk                       |  5 +++--
>   3 files changed, 32 insertions(+), 4 deletions(-)
>   create mode 100644 package/rsyslog/rsyslog-0001-revert-strdup.patch
>
> diff --git a/package/rsyslog/rsyslog-0001-revert-strdup.patch b/package/rsyslog/rsyslog-0001-revert-strdup.patch
> new file mode 100644
> index 0000000..5e82018
> --- /dev/null
> +++ b/package/rsyslog/rsyslog-0001-revert-strdup.patch
> @@ -0,0 +1,27 @@
> +Revert upstream 0403361ac57082dc47840d1f31832f1a0e319078
> +It breaks the build when it's defined.
> +
> +Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
> +
> +diff -Nura rsyslog-7.6.6.orig/grammar/lexer.c rsyslog-7.6.6/grammar/lexer.c
> +--- rsyslog-7.6.6.orig/grammar/lexer.c	2014-10-01 10:12:34.960082719 -0300
> ++++ rsyslog-7.6.6/grammar/lexer.c	2014-10-01 10:13:24.512769964 -0300
> +@@ -1459,7 +1459,6 @@
> + #line 32 "lexer.l"
> + #include "config.h"
> + #include "parserif.h"
> +-extern char *strdup(char*); /* somehow we do not get this from string.h... */
> + /*%option noyywrap nodefault case-insensitive */
> + /* avoid compiler warning: `yyunput' defined but not used */
> + #define YY_NO_INPUT 1
> +diff -Nura rsyslog-7.6.6.orig/grammar/lexer.l rsyslog-7.6.6/grammar/lexer.l
> +--- rsyslog-7.6.6.orig/grammar/lexer.l	2014-10-01 10:12:34.960082719 -0300
> ++++ rsyslog-7.6.6/grammar/lexer.l	2014-10-01 10:13:41.935363172 -0300
> +@@ -31,7 +31,6 @@
> + %{
> + #include "config.h"
> + #include "parserif.h"
> +-extern char *strdup(char*); /* somehow we do not get this from string.h... */
> + %}
> +
> + %option noyywrap nodefault case-insensitive yylineno
> diff --git a/package/rsyslog/rsyslog.hash b/package/rsyslog/rsyslog.hash
> index b47932a..afc75cc 100644
> --- a/package/rsyslog/rsyslog.hash
> +++ b/package/rsyslog/rsyslog.hash
> @@ -1,2 +1,2 @@
> -# From http://www.rsyslog.com/downloads/download-other/
> -sha256	45bca1c1ffca6b8260363617897c09baeaf350e8b92c51361d2770375cdf4b34	rsyslog-7.6.5.tar.gz
> +# From http://www.rsyslog.com/downloads/download-v7-stable/
> +sha256	c77ae0db6204c5bd670fa96c354ee5fe1c62c876bd84ec06ed429138c78885bb	rsyslog-7.6.6.tar.gz
> diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk
> index 2ba4a9a..17fd13b 100644
> --- a/package/rsyslog/rsyslog.mk
> +++ b/package/rsyslog/rsyslog.mk
> @@ -4,14 +4,15 @@
>   #
>   ################################################################################
>
> -RSYSLOG_VERSION = 7.6.5
> +RSYSLOG_VERSION = 7.6.6
>   RSYSLOG_SITE = http://rsyslog.com/files/download/rsyslog
>   RSYSLOG_LICENSE = GPLv3 LGPLv3 Apache-2.0
>   RSYSLOG_LICENSE_FILES = COPYING COPYING.LESSER COPYING.ASL20
>   RSYSLOG_DEPENDENCIES = zlib libestr liblogging json-c host-pkgconf
>
>   RSYSLOG_CONF_OPT = --disable-testbench \
> -		   --enable-cached-man-pages
> +		   --enable-cached-man-pages \
> +		   --disable-generate-man-pages
>
>   # Build after BusyBox
>   ifeq ($(BR2_PACKAGE_BUSYBOX),y)
>

Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>

-- 
Vincent

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Buildroot] [PATCHv2] rsyslog: security bump to version 7.6.6
  2014-10-01 13:23 [Buildroot] [PATCHv2] rsyslog: security bump to version 7.6.6 Gustavo Zacarias
  2014-10-01 13:42 ` Vicente Olivert Riera
@ 2014-10-01 13:57 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2014-10-01 13:57 UTC (permalink / raw)
  To: buildroot

>>>>> "Gustavo" == Gustavo Zacarias <gustavo@zacarias.com.ar> writes:

 > Fixes CVE-2014-3634 - potential abort when a message with PRI > 191 was
 > processed if the "pri-text" property was used in active templates, this
 > could be abused to a remote denial of service from permitted senders.

 > Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>

Committed, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2014-10-01 13:57 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-01 13:23 [Buildroot] [PATCHv2] rsyslog: security bump to version 7.6.6 Gustavo Zacarias
2014-10-01 13:42 ` Vicente Olivert Riera
2014-10-01 13:57 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.