Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627912 (CVE-2017-12588) - <app-admin/rsyslog-8.26.0-r1: multiple format string vulnerabilities in zmq3 module
Summary: <app-admin/rsyslog-8.26.0-r1: multiple format string vulnerabilities in zmq3 ...
Alias: CVE-2017-12588
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on: 660258
  Show dependency tree
Reported: 2017-08-15 08:58 UTC by Agostino Sarubbo
Modified: 2018-08-03 02:19 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-08-15 08:58:19 UTC
From ${URL} :

The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format 
string attack with unspecified impact. The vulnerabililties was found in omzmq3.c: In function ‘initZMQ’ and imzmq3.c: In function 

Upstream bug:

Upstream patch:

Introducing code:


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev 2017-08-15 11:03:24 UTC
Fixed since

Original stable request was bug 618836.

Only arm needs to catch up (app-admin/rsyslog on arm is currently <8.26.0-r1).
Comment 2 Larry the Git Cow gentoo-dev 2018-08-03 01:19:51 UTC
The bug has been referenced in the following commit(s):

commit 8831b442e3d08fdc39011c1906edfa071a9af219
Author:     Thomas Deutschmann <>
AuthorDate: 2018-08-03 00:44:02 +0000
Commit:     Thomas Deutschmann <>
CommitDate: 2018-08-03 01:19:36 +0000

    app-admin/rsyslog: drop old
    Package-Manager: Portage-2.3.44, Repoman-2.3.10

 app-admin/rsyslog/Manifest                         |   8 -
 app-admin/rsyslog/files/8-stable/50-default.conf   |  95 -----
 .../rsyslog-8.27.0-fix-mmnormalize-tests.patch     |  23 -
 ...yslog-8.32.0-fix-building-without-curl-r3.patch | 137 ------
 .../8-stable/rsyslog-8.34.0-fix-issue2612.patch    |  13 -
 app-admin/rsyslog/files/8-stable/rsyslog.logrotate |  37 --
 app-admin/rsyslog/rsyslog-8.28.0-r1.ebuild         | 451 --------------------
 app-admin/rsyslog/rsyslog-8.32.0-r4.ebuild         | 459 --------------------
 app-admin/rsyslog/rsyslog-8.33.1-r1.ebuild         | 457 --------------------
 app-admin/rsyslog/rsyslog-8.34.0.ebuild            | 464 ---------------------
 10 files changed, 2144 deletions(-)
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-08-03 02:19:12 UTC
downgrading to B3 since no PoC available and report does not specify proper attack's impact.


tree is clean.

Thank you all,