--- old/app-admin/sysklogd/files/sysklogd-1.5_CVE-2014-3634.diff 1970-01-01 01:00:00.000000000 +0100 +++ old/app-admin/sysklogd/files/sysklogd-1.5_CVE-2014-3634.diff 2014-10-03 10:47:42.000000000 +0200 @@ -0,0 +1,91 @@ +From 43797330e75d7d4687b7ae6926a996c3c85c2679 Mon Sep 17 00:00:00 2001 +From: mancha +Date: Wed, 1 Oct 2014 +Subject: CVE-2014-3634 + +Rainer Gerhards, rsyslog project leader, discovered an issue in rsyslogd +where invalid priority values can trigger DoS and potentially RCE. + +As his analysis reveals, the cause of the problem identified in rsyslog's +rsyslogd also exists in sysklogd's syslogd (from which rsyslogd was forked) +and stems from the use of a (LOG_FACMASK|LOG_PRIMASK) mask to detect invalid +priority values. + +In sysklogd's syslogd, invalid priority values between 192 and 1023 (directly +or arrived at via overflow wraparound) can propagate through code causing +out-of-bounds access to the f_pmask array within the 'filed' structure by up +to 104 bytes past its end. Though most likely insufficient to reach +unallocated memory because there are around 544 bytes past f_pmask in 'filed' +(mod packing and other differences), incorrect access of fields at higher +positions of the 'filed' structure definition can cause unexpected behavior +including message mis-classification, forwarding issues, message loss, +or other. + +This patch imposes a restriction on PRI message parts and requires they +be properly-delimited priority value strings that have non-negative +numerical values not exceeding 191. As before, sysklogd's syslogd permits +zero padding to not break compatibility with RFC-non-compliant loggers that +issue PRIs such as <0091>. Messages without well-formed PRI parts get +logged with priority user.notice (13). (c.f. RFC 3164) + +Thanks to Rainer Gerhards for the initial report and analysis. + +[1] http://www.rsyslog.com/remote-syslog-pri-vulnerability/ +[2] http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/ + +--- + syslogd.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/syslogd.c ++++ b/syslogd.c +@@ -632,6 +632,8 @@ int funix[MAXFUNIX] = { -1, }; + #define TABLE_ALLPRI 0xFF /* Value to indicate all priorities in f_pmask */ + #define LOG_MARK LOG_MAKEPRI(LOG_NFACILITIES, 0) /* mark "facility" */ + ++#define MAX_PRI 191 /* Maximum Priority per RFC 3164 */ ++ + /* + * Flags to logmsg(). + */ +@@ -1491,23 +1493,34 @@ void printline(hname, msg) + register char *p, *q; + register unsigned char c; + char line[MAXLINE + 1]; +- int pri; ++ unsigned int pri; // Valid Priority values are 0-191 ++ int prilen=0; // Track Priority value string len ++ int msglen; + + /* test for special codes */ ++ msglen=strlen(msg); + pri = DEFUPRI; + p = msg; + + if (*p == '<') { + pri = 0; +- while (isdigit(*++p)) +- { +- pri = 10 * pri + (*p - '0'); ++ while (--msglen > 0 && isdigit((unsigned char)*++p) && ++ pri <= MAX_PRI) { ++ pri = 10 * pri + (*p - '0'); ++ prilen++; + } +- if (*p == '>') ++ if (*p == '>' && prilen) + ++p; ++ else { ++ pri = DEFUPRI; ++ p = msg; ++ } + } +- if (pri &~ (LOG_FACMASK|LOG_PRIMASK)) ++ ++ if ((pri &~ (LOG_FACMASK|LOG_PRIMASK)) || (pri > MAX_PRI)) { + pri = DEFUPRI; ++ p = msg; ++ } + + memset (line, 0, sizeof(line)); + q = line; --- old/app-admin/sysklogd/sysklogd-1.5-r4.ebuild 1970-01-01 01:00:00.000000000 +0100 +++ old/app-admin/sysklogd/sysklogd-1.5-r4.ebuild 2014-10-04 00:42:40.000000000 +0200 @@ -0,0 +1,65 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: $ + +EAPI="5" + +inherit eutils flag-o-matic toolchain-funcs + +DEB_VER="6" +DESCRIPTION="Standard log daemons" +HOMEPAGE="http://www.infodrom.org/projects/sysklogd/" +SRC_URI="http://www.infodrom.org/projects/sysklogd/download/${P}.tar.gz + mirror://debian/pool/main/s/sysklogd/${PN}_${PV}-${DEB_VER}.diff.gz" + +LICENSE="BSD" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +IUSE="logrotate" +RESTRICT="test" + +DEPEND="" +RDEPEND="dev-lang/perl + sys-apps/debianutils" + +src_prepare() { + pushd "${WORKDIR}" >/dev/null + epatch "${WORKDIR}"/${PN}_${PV}-${DEB_VER}.diff + popd >/dev/null + + epatch "${FILESDIR}"/${P}-debian-cron.patch + epatch "${FILESDIR}"/${P}-build.patch + + # CAEN/OWL security patches + epatch "${FILESDIR}"/${PN}-1.4.2-caen-owl-syslogd-bind.diff + epatch "${FILESDIR}"/${PN}-1.4.2-caen-owl-syslogd-drop-root.diff + epatch "${FILESDIR}"/${PN}-1.4.2-caen-owl-klogd-drop-root.diff + + epatch "${FILESDIR}"/${P}-syslog-func-collision.patch #342601 + + epatch "${FILESDIR}"/${P}_CVE-2014-3634.diff +} + +src_configure() { + append-lfs-flags + tc-export CC +} + +src_install() { + dosbin syslogd klogd debian/syslog-facility debian/syslogd-listfiles + doman *.[1-9] debian/syslogd-listfiles.8 + insinto /etc + doins debian/syslog.conf + if use logrotate ; then + insinto /etc/logrotate.d + newins "${FILESDIR}"/sysklogd.logrotate sysklogd + else + exeinto /etc/cron.daily + newexe debian/cron.daily syslog + exeinto /etc/cron.weekly + newexe debian/cron.weekly syslog + fi + dodoc ANNOUNCE CHANGES NEWS README.1st README.linux + newinitd "${FILESDIR}"/sysklogd.rc7 sysklogd + newconfd "${FILESDIR}"/sysklogd.confd sysklogd +}