Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 842846 (CVE-2022-24903) - <app-admin/rsyslog-8.2206.0: Potential heap buffer overflow in TCP syslog server (receiver) components
Summary: <app-admin/rsyslog-8.2206.0: Potential heap buffer overflow in TCP syslog ser...
Status: IN_PROGRESS
Alias: CVE-2022-24903
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [stable?]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-06 00:11 UTC by Sam James
Modified: 2022-06-19 01:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-06 00:11:04 UTC
Advisory: https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8#advisory-comment-72243

"Modules for TCP syslog reception have a heap buffer overflow when octet-counted framing is used. The attacker can corrupt heap values, leading to data integrity issues and availability impact. Remote code execution is unlikely to happen but not impossible."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-06 00:11:19 UTC
Please bump to 8.2204.1.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-06-18 23:44:20 UTC
(In reply to Sam James from comment #1)
> Please bump to 8.2204.1.

Ping.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-06-18 23:44:57 UTC
(In reply to Sam James from comment #2)
> (In reply to Sam James from comment #1)
> > Please bump to 8.2204.1.
> 
> Ping.

Oh, I guess we could stable 8.2206.0, but that's a big jump.
Comment 4 Maciej Barć gentoo-dev 2022-06-18 23:46:40 UTC
(In reply to Sam James from comment #3)
> (In reply to Sam James from comment #2)
> > (In reply to Sam James from comment #1)
> > > Please bump to 8.2204.1.
> > 
> > Ping.
> 
> Oh, I guess we could stable 8.2206.0, but that's a big jump.

Yup, it was just added.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-06-19 01:57:19 UTC
(In reply to Maciej Barć from comment #4)
> (In reply to Sam James from comment #3)
> > (In reply to Sam James from comment #2)
> > > (In reply to Sam James from comment #1)
> > > > Please bump to 8.2204.1.
> > > 
> > > Ping.
> > 
> > Oh, I guess we could stable 8.2206.0, but that's a big jump.
> 
> Yup, it was just added.

Sorry, what I mean is: do you really want to stable that version? You can if you want, but I'd suggest adding 8.2204.1 and doing that instead. But I don't know much about upstream. If not much changed, then go wild.

Just better to do more conservative versions for fast/security stabilisation.