Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rsyslog for openSUSE:Factory checked
in at 2022-05-10 15:09:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rsyslog (Old)
and /work/SRC/openSUSE:Factory/.rsyslog.new.1538 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rsyslog"
Tue May 10 15:09:52 2022 rev:168 rq:975639 version:8.2204.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/rsyslog/rsyslog.changes 2022-04-23
19:45:20.658938956 +0200
+++ /work/SRC/openSUSE:Factory/.rsyslog.new.1538/rsyslog.changes
2022-05-10 15:10:03.651428638 +0200
@@ -1,0 +2,7 @@
+Sun May 8 13:50:31 UTC 2022 - Andreas Stieger <andreas.stie...@gmx.de>
+
+- rsyslog 8.2204.1:
+ * CVE-2022-24903: potential buffer overrun in imptcp, imtcp,
+ imgssapi and others (boo#1199061)
+
+-------------------------------------------------------------------
Old:
----
rsyslog-8.2204.0.tar.gz
New:
----
rsyslog-8.2204.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rsyslog.spec ++++++
--- /var/tmp/diff_new_pack.FDRn88/_old 2022-05-10 15:10:04.407429591 +0200
+++ /var/tmp/diff_new_pack.FDRn88/_new 2022-05-10 15:10:04.419429606 +0200
@@ -21,11 +21,14 @@
%define _fillupdir /var/adm/fillup-templates
%endif
+# drop this with next release when doc tarball version lines up
+%define rsyslog_major 8.2204
+%define rsyslog_patch 1
Name: rsyslog
Summary: The enhanced syslogd for Linux and Unix
License: Apache-2.0 AND GPL-3.0-or-later
Group: System/Daemons
-Version: 8.2204.0
+Version: %{rsyslog_major}.%{rsyslog_patch}
Release: 0
%bcond_with udpspoof
%bcond_with dbi
@@ -206,7 +209,7 @@
Source7: module-mysql
Source8: module-snmp
Source9: module-udpspoof
-Source14:
https://www.rsyslog.com/files/download/rsyslog/rsyslog-doc-%{version}.tar.gz
+Source14:
https://www.rsyslog.com/files/download/rsyslog/rsyslog-doc-%{rsyslog_major}.0.tar.gz
Source16: journald-rsyslog.conf
Source17: acpid.frule
Source18: firewall.frule
++++++ rsyslog-8.2204.0.tar.gz -> rsyslog-8.2204.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rsyslog-8.2204.0/.tarball-version
new/rsyslog-8.2204.1/.tarball-version
--- old/rsyslog-8.2204.0/.tarball-version 2022-04-18 11:15:25.000000000
+0200
+++ new/rsyslog-8.2204.1/.tarball-version 2022-05-03 13:31:20.000000000
+0200
@@ -1 +1 @@
-8.2204.0
+8.2204.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rsyslog-8.2204.0/ChangeLog
new/rsyslog-8.2204.1/ChangeLog
--- old/rsyslog-8.2204.0/ChangeLog 2022-04-18 11:13:29.000000000 +0200
+++ new/rsyslog-8.2204.1/ChangeLog 2022-05-03 13:29:03.000000000 +0200
@@ -1,4 +1,9 @@
----------------------------------------------------------------------------------------
+Scheduled Release 8.2204.1 (aka 2022.04) 2021-05-05
+- security bugfix: potential buffer overrun in imptcp, imtcp, imgssapi and
others
+ This addresses CVE-2022-24903
+ see also
https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8
+----------------------------------------------------------------------------------------
Scheduled Release 8.2204.0 (aka 2022.04) 2021-04-19
- 2022-04-18: gnutls bugfix: possibility of infinite loop
There was a rare possibility that the E_AGAIN/E_INTERRUPT handling
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rsyslog-8.2204.0/configure
new/rsyslog-8.2204.1/configure
--- old/rsyslog-8.2204.0/configure 2022-04-18 11:14:21.000000000 +0200
+++ new/rsyslog-8.2204.1/configure 2022-05-03 13:29:36.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for rsyslog 8.2204.0.
+# Generated by GNU Autoconf 2.69 for rsyslog 8.2204.1.
#
# Report bugs to <rsys...@lists.adiscon.com>.
#
@@ -590,8 +590,8 @@
# Identity of this package.
PACKAGE_NAME='rsyslog'
PACKAGE_TARNAME='rsyslog'
-PACKAGE_VERSION='8.2204.0'
-PACKAGE_STRING='rsyslog 8.2204.0'
+PACKAGE_VERSION='8.2204.1'
+PACKAGE_STRING='rsyslog 8.2204.1'
PACKAGE_BUGREPORT='rsys...@lists.adiscon.com'
PACKAGE_URL=''
@@ -1878,7 +1878,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures rsyslog 8.2204.0 to adapt to many kinds of systems.
+\`configure' configures rsyslog 8.2204.1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1949,7 +1949,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of rsyslog 8.2204.0:";;
+ short | recursive ) echo "Configuration of rsyslog 8.2204.1:";;
esac
cat <<\_ACEOF
@@ -2320,7 +2320,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-rsyslog configure 8.2204.0
+rsyslog configure 8.2204.1
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2900,7 +2900,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by rsyslog $as_me 8.2204.0, which was
+It was created by rsyslog $as_me 8.2204.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3770,7 +3770,7 @@
# Define the identity of the package.
PACKAGE='rsyslog'
- VERSION='8.2204.0'
+ VERSION='8.2204.1'
cat >>confdefs.h <<_ACEOF
@@ -30645,7 +30645,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by rsyslog $as_me 8.2204.0, which was
+This file was extended by rsyslog $as_me 8.2204.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -30711,7 +30711,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-rsyslog config.status 8.2204.0
+rsyslog config.status 8.2204.1
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rsyslog-8.2204.0/configure.ac
new/rsyslog-8.2204.1/configure.ac
--- old/rsyslog-8.2204.0/configure.ac 2022-04-18 11:13:58.000000000 +0200
+++ new/rsyslog-8.2204.1/configure.ac 2022-05-03 13:27:28.000000000 +0200
@@ -2,7 +2,7 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ(2.61)
-AC_INIT([rsyslog],[8.2204.0],[rsys...@lists.adiscon.com]) # UPDATE on release
+AC_INIT([rsyslog],[8.2204.1],[rsys...@lists.adiscon.com]) # UPDATE on release
AC_DEFINE(VERSION_YEAR, 22, [year part of real rsyslog version]) # UPDATE on
release
AC_DEFINE(VERSION_MONTH, 04, [month part of real rsyslog version]) # UPDATE on
release
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rsyslog-8.2204.0/contrib/imhttp/imhttp.c
new/rsyslog-8.2204.1/contrib/imhttp/imhttp.c
--- old/rsyslog-8.2204.0/contrib/imhttp/imhttp.c 2022-04-04
09:26:40.000000000 +0200
+++ new/rsyslog-8.2204.1/contrib/imhttp/imhttp.c 2022-05-03
13:22:21.000000000 +0200
@@ -487,7 +487,9 @@
connWrkr->parseState.iOctetsRemain =
connWrkr->parseState.iOctetsRemain * 10 + ch - '0';
}
// temporarily save this character into the message
buffer
- connWrkr->pMsg[connWrkr->iMsg++] = ch;
+ if(connWrkr->iMsg + 1 < s_iMaxLine) {
+ connWrkr->pMsg[connWrkr->iMsg++] = ch;
+ }
} else {
const char *remoteAddr = "";
if (connWrkr->propRemoteAddr) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rsyslog-8.2204.0/plugins/imptcp/imptcp.c
new/rsyslog-8.2204.1/plugins/imptcp/imptcp.c
--- old/rsyslog-8.2204.0/plugins/imptcp/imptcp.c 2022-04-18
11:13:29.000000000 +0200
+++ new/rsyslog-8.2204.1/plugins/imptcp/imptcp.c 2022-05-03
13:22:21.000000000 +0200
@@ -1107,7 +1107,9 @@
if(pThis->iOctetsRemain <= 200000000) {
pThis->iOctetsRemain = pThis->iOctetsRemain *
10 + c - '0';
}
- *(pThis->pMsg + pThis->iMsg++) = c;
+ if(pThis->iMsg < iMaxLine) {
+ *(pThis->pMsg + pThis->iMsg++) = c;
+ }
} else { /* done with the octet count, so this must be the SP
terminator */
DBGPRINTF("TCP Message with octet-counter, size %d.\n",
pThis->iOctetsRemain);
prop.GetString(pThis->peerName, &propPeerName,
&lenPeerName);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rsyslog-8.2204.0/runtime/tcps_sess.c
new/rsyslog-8.2204.1/runtime/tcps_sess.c
--- old/rsyslog-8.2204.0/runtime/tcps_sess.c 2022-04-04 09:26:40.000000000
+0200
+++ new/rsyslog-8.2204.1/runtime/tcps_sess.c 2022-05-03 13:22:21.000000000
+0200
@@ -390,7 +390,9 @@
if(pThis->iOctetsRemain <= 200000000) {
pThis->iOctetsRemain = pThis->iOctetsRemain *
10 + c - '0';
}
- *(pThis->pMsg + pThis->iMsg++) = c;
+ if(pThis->iMsg < iMaxLine) {
+ *(pThis->pMsg + pThis->iMsg++) = c;
+ }
} else { /* done with the octet count, so this must be the SP
terminator */
DBGPRINTF("TCP Message with octet-counter, size %d.\n",
pThis->iOctetsRemain);
prop.GetString(pThis->fromHost, &propPeerName,
&lenPeerName);
