Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627912 (CVE-2017-12588) - <app-admin/rsyslog-8.26.0-r1: multiple format string vulnerabilities in zmq3 module
Summary: <app-admin/rsyslog-8.26.0-r1: multiple format string vulnerabilities in zmq3 ...
Status: RESOLVED FIXED
Alias: CVE-2017-12588
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 660258
Blocks:
  Show dependency tree
 
Reported: 2017-08-15 08:58 UTC by Agostino Sarubbo
Modified: 2018-08-03 02:19 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-08-15 08:58:19 UTC
From ${URL} :

The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format 
string attack with unspecified impact. The vulnerabililties was found in omzmq3.c: In function ‘initZMQ’ and imzmq3.c: In function 
‘createSocket’.

Upstream bug:

https://github.com/rsyslog/rsyslog/pull/1565

Upstream patch:

https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b

Introducing code:

https://github.com/rsyslog/rsyslog/commit/cbff73d94c3a86ed74294fe1265dc5242f9317be

References:

https://bugzilla.novell.com/show_bug.cgi?id=1051798


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev 2017-08-15 11:03:24 UTC
Fixed since https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=56373a28a0dff4cb79263b1db8ca3a2930227a15

Original stable request was bug 618836.

Only arm needs to catch up (app-admin/rsyslog on arm is currently <8.26.0-r1).
Comment 2 Larry the Git Cow gentoo-dev 2018-08-03 01:19:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8831b442e3d08fdc39011c1906edfa071a9af219

commit 8831b442e3d08fdc39011c1906edfa071a9af219
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-08-03 00:44:02 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-08-03 01:19:36 +0000

    app-admin/rsyslog: drop old
    
    Bug: https://bugs.gentoo.org/627912
    Package-Manager: Portage-2.3.44, Repoman-2.3.10

 app-admin/rsyslog/Manifest                         |   8 -
 app-admin/rsyslog/files/8-stable/50-default.conf   |  95 -----
 .../rsyslog-8.27.0-fix-mmnormalize-tests.patch     |  23 -
 ...yslog-8.32.0-fix-building-without-curl-r3.patch | 137 ------
 .../8-stable/rsyslog-8.34.0-fix-issue2612.patch    |  13 -
 app-admin/rsyslog/files/8-stable/rsyslog.logrotate |  37 --
 app-admin/rsyslog/rsyslog-8.28.0-r1.ebuild         | 451 --------------------
 app-admin/rsyslog/rsyslog-8.32.0-r4.ebuild         | 459 --------------------
 app-admin/rsyslog/rsyslog-8.33.1-r1.ebuild         | 457 --------------------
 app-admin/rsyslog/rsyslog-8.34.0.ebuild            | 464 ---------------------
 10 files changed, 2144 deletions(-)
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-08-03 02:19:12 UTC
downgrading to B3 since no PoC available and report does not specify proper attack's impact.

GLSA Vote: NO

tree is clean.

Thank you all,