From ${URL} : A double free flaw was found in the way the ElasticSearch plugin of rsyslog handled JSON response from ElasticSearch. If the "errorfile" parameter is explicitely set for local logging and a an attacker can manipulate the JSON response from ElasticSearch, the attacker could cause rsyslog to crash or, possibly, execute arbitrary code with the privileges of rsyslog. References: [1] http://www.lsexperts.de/advisories/lse-2013-07-03.txt Upstream bug report: [2] http://bugzilla.adiscon.com/show_bug.cgi?id=461 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
C since it requires a specific plugin and parameter, 2 because it's arbitrary code execution (but rather complicated to actually cause the execution). Pasted the affected versions below, I'm pretty sure that none of the versions in tree are affected, but I'd appreciate it if someone could double-check (and close if we're unaffected) Affected Version ================ rsyslog 7.4.0 stable <= 7.4.1 stable rsyslog 7.3.2 devel <= 7.5.1 devel
CVE-2013-4758 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4758): Double free vulnerability in the writeDataError function in the ElasticSearch plugin (omelasticsearch) in rsyslog before 7.4.2 and before 7.5.2 devel, when errorfile is set to local logging, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted JSON response.
Upstream Bug Fix http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=80f88242982c9c6ad6ce8628fc5b94ea74051cf4 We have 7.4.4 in tree, does that contain the fix?
(In reply to Yury German from comment #3) > Upstream Bug Fix > http://git.adiscon.com/?p=rsyslog.git;a=commitdiff; > h=80f88242982c9c6ad6ce8628fc5b94ea74051cf4 > > We have 7.4.4 in tree, does that contain the fix? Yup, 7.4.4 is *not* affected, it contains the fix: # equery which =app-admin/rsyslog-7.4.4 /usr/portage/app-admin/rsyslog/rsyslog-7.4.4.ebuild # ebuild /usr/portage/app-admin/rsyslog/rsyslog-7.4.4.ebuild unpack # cd /var/tmp/portage/app-admin/rsyslog-7.4.4/work # grep -Fr -A 5 'DBGPRINTF("omelasticsearch: error %d writing error file, write returns %lld\n",' . ./rsyslog-7.4.4/plugins/omelasticsearch/omelasticsearch.c: DBGPRINTF("omelasticsearch: error %d writing error file, write returns %lld\n", ./rsyslog-7.4.4/plugins/omelasticsearch/omelasticsearch.c- errno, (long long) wrRet); ./rsyslog-7.4.4/plugins/omelasticsearch/omelasticsearch.c- } ./rsyslog-7.4.4/plugins/omelasticsearch/omelasticsearch.c- cJSON_Delete(errRoot); ./rsyslog-7.4.4/plugins/omelasticsearch/omelasticsearch.c- *pReplyRoot = NULL; /* tell caller not to delete once again! */ ./rsyslog-7.4.4/plugins/omelasticsearch/omelasticsearch.c-
Arches, please test and mark stable: =app-admin/rsyslog-7.4.4 Target keywords : "amd64 arm hppa x86"
@dev-zero: Which >=dev-libs/librelp-1.0.3 would you like to see stable?
(In reply to Jeroen Roovers from comment #6) > @dev-zero: Which >=dev-libs/librelp-1.0.3 would you like to see stable? I'd go for librelp-1.2.0, it's in tree since august and released since july upstream, looks good to me.
amd64 stable
x86 stable
*** Bug 486294 has been marked as a duplicate of this bug. ***
This stable request can't be completed because of the following repoman's error(s): dependency.bad 2 app-admin/rsyslog/rsyslog-7.4.4.ebuild: DEPEND: arm(default/linux/arm/13.0) ['dev-libs/libee', '>=dev-libs/libestr-0.1.5', 'dev-libs/liblognorm', '>=dev-libs/librelp-1.0.3'] In case you are the maintainer of the needed package(s), please authorize the stabilization and edit the summary of this bug. In case you are not the maintainer of the needed package(s), please open the necessary bug(s) and make a block for this bug. To find the full list, feel free to follow this article: http://blogs.gentoo.org/ago/2012/07/06/repoman-check-before-file-stable-request
ElasticSearch plugin is disabled by default and was not ever explicitly enabled by ebuilds. ElasticSearch was compiled as module for rsyslog-7.2.2.ebuild and rsyslog-7.2.2-r1.ebuild due to upstream bug at configure.ac fixed rsyslog-7.2.5. See bug #485414 for details. This ebuilds are also unaffected: rsyslog-7.2.7.ebuild rsyslog-7.4.3.ebuild No plugin (omelasticsearch.so) installed - no vulnerability
(In reply to Andrey Volkov from comment #12) > ElasticSearch plugin is disabled by default and was not ever explicitly > enabled by ebuilds. > > ElasticSearch was compiled as module for rsyslog-7.2.2.ebuild and > rsyslog-7.2.2-r1.ebuild due to upstream bug at configure.ac fixed > rsyslog-7.2.5. See bug #485414 for details. > > This ebuilds are also unaffected: > rsyslog-7.2.7.ebuild > rsyslog-7.4.3.ebuild > > No plugin (omelasticsearch.so) installed - no vulnerability You are right. Gentoo is not vulnerable to this issue; in all cases we have: omelasticsearch module will be compiled: no Since all arches have stabilized it, I guess arm and hppa could do the same.
Stable for HPPA.
arm passes, closing.
