627912 – (CVE-2017-12588) <app-admin/rsyslog-8.26.0-r1: multiple format string vulnerabilities in zmq3 module

Bug 627912 (CVE-2017-12588) - <app-admin/rsyslog-8.26.0-r1: multiple format string vulnerabilities in zmq3 module

Summary: <app-admin/rsyslog-8.26.0-r1: multiple format string vulnerabilities in zmq3 ...

Status:	RESOLVED FIXED

Alias:	CVE-2017-12588

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:	660258
Blocks:
	Show dependency tree

Reported:	2017-08-15 08:58 UTC by Agostino Sarubbo
Modified:	2018-08-03 02:19 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2017-08-15 08:58:19 UTC

From ${URL} :

The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format 
string attack with unspecified impact. The vulnerabililties was found in omzmq3.c: In function ‘initZMQ’ and imzmq3.c: In function 
‘createSocket’.

Upstream bug:

https://github.com/rsyslog/rsyslog/pull/1565

Upstream patch:

https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b

Introducing code:

https://github.com/rsyslog/rsyslog/commit/cbff73d94c3a86ed74294fe1265dc5242f9317be

References:

https://bugzilla.novell.com/show_bug.cgi?id=1051798


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2017-08-15 11:03:24 UTC

Fixed since https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=56373a28a0dff4cb79263b1db8ca3a2930227a15

Original stable request was bug 618836.

Only arm needs to catch up (app-admin/rsyslog on arm is currently <8.26.0-r1).

Comment 2 Larry the Git Cow gentoo-dev

2018-08-03 01:19:51 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8831b442e3d08fdc39011c1906edfa071a9af219

commit 8831b442e3d08fdc39011c1906edfa071a9af219
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-08-03 00:44:02 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-08-03 01:19:36 +0000

    app-admin/rsyslog: drop old
    
    Bug: https://bugs.gentoo.org/627912
    Package-Manager: Portage-2.3.44, Repoman-2.3.10

 app-admin/rsyslog/Manifest                         |   8 -
 app-admin/rsyslog/files/8-stable/50-default.conf   |  95 -----
 .../rsyslog-8.27.0-fix-mmnormalize-tests.patch     |  23 -
 ...yslog-8.32.0-fix-building-without-curl-r3.patch | 137 ------
 .../8-stable/rsyslog-8.34.0-fix-issue2612.patch    |  13 -
 app-admin/rsyslog/files/8-stable/rsyslog.logrotate |  37 --
 app-admin/rsyslog/rsyslog-8.28.0-r1.ebuild         | 451 --------------------
 app-admin/rsyslog/rsyslog-8.32.0-r4.ebuild         | 459 --------------------
 app-admin/rsyslog/rsyslog-8.33.1-r1.ebuild         | 457 --------------------
 app-admin/rsyslog/rsyslog-8.34.0.ebuild            | 464 ---------------------
 10 files changed, 2144 deletions(-)

Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev

2018-08-03 02:19:12 UTC

downgrading to B3 since no PoC available and report does not specify proper attack's impact.

GLSA Vote: NO

tree is clean.

Thank you all,