syslog-ng: CVE-2022-38725 An integer overflow in the RFC3164 parser i

Source: https://github.com/syslog-ng/syslog-ng/
MR: 124728
Type: Security Fix
Disposition: Backport from syslog-ng/syslog-ng@b5a060f & syslog-ng/syslog-ng@4b8dc56 & syslog-ng/syslog-ng@73b5c30 & syslog-ng/syslog-ng@09f489c & syslog-ng/syslog-ng@8c6e2c1 & syslog-ng/syslog-ng@56f881c
ChangeID: 7ad64c3c5a58fe3bce0bdf4bd7779075ddb5fe34
Description:

Fix for CVE-2022-38725

Signed-off-by: Vijay Anusuri <[email protected]>
Signed-off-by: Jeremy A. Puhlman <[email protected]>

meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-01.patch

@@ -0,0 +1,59 @@
+From b5a060f2ebb8d794f508436a12e4d4163f94b1b8 Mon Sep 17 00:00:00 2001
+From: László Várady <[email protected]>
+Date: Sat, 20 Aug 2022 12:26:05 +0200
+Subject: [PATCH] syslogformat: fix out-of-bounds reading of data buffer
+
+Signed-off-by: László Várady <[email protected]>
+
+Upstream-Status: Backport [https://github.com/syslog-ng/syslog-ng/commit/b5a060f2ebb8d794f508436a12e4d4163f94b1b8]
+CVE: CVE-2022-38725
+Signed-off-by: Vijay Anusuri <[email protected]>
+---
+ modules/syslogformat/syslog-format.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c
+index df1f021..9fd4d56 100644
+--- a/modules/syslogformat/syslog-format.c
++++ b/modules/syslogformat/syslog-format.c
+@@ -468,6 +468,9 @@ log_msg_parse_date_unnormalized(LogMessage *self, const guchar **data, gint *len
+
+   cached_g_current_time(&now);
+
++  if (!left)
++    goto error;
++
+   if ((parse_flags & LP_SYSLOG_PROTOCOL) == 0)
+     {
+       /* Cisco timestamp extensions, the first '*' indicates that the clock is
+@@ -835,7 +838,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF
+       open_sd++;
+       do
+         {
+-          if (!isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"')
++          if (!left || !isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"')
+             goto error;
+           /* read sd_id */
+           pos = 0;
+@@ -869,7 +872,8 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF
+           strcpy(sd_value_name, logmsg_sd_prefix);
+           /* this strcat is safe, as sd_id_name is at most 32 chars */
+           strncpy(sd_value_name + logmsg_sd_prefix_len, sd_id_name, sizeof(sd_value_name) - logmsg_sd_prefix_len);
+-          if (*src == ']')
++
++          if (left && *src == ']')
+             {
+               log_msg_set_value_by_name(self, sd_value_name, "", 0);
+             }
+@@ -886,7 +890,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF
+               else
+                 goto error;
+
+-              if (!isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"')
++              if (!left || !isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"')
+                 goto error;
+
+               /* read sd-param */
+-- 
+2.18.2
+

meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-02.patch

@@ -0,0 +1,30 @@
+From 4b8dc56ca8eaeac4c8751a305eb7eeefab8dc89d Mon Sep 17 00:00:00 2001
+From: László Várady <[email protected]>
+Date: Sun, 21 Aug 2022 18:44:28 +0200
+Subject: [PATCH] syslogformat: fix reading cisco sequence id out of bounds
+
+Signed-off-by: László Várady <[email protected]>
+
+Upstream-Status: Backport [https://github.com/syslog-ng/syslog-ng/commit/4b8dc56ca8eaeac4c8751a305eb7eeefab8dc89d]
+CVE: CVE-2022-38725
+Signed-off-by: Vijay Anusuri <[email protected]>
+---
+ modules/syslogformat/syslog-format.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c
+index 9fd4d56..b1b7f15 100644
+--- a/modules/syslogformat/syslog-format.c
++++ b/modules/syslogformat/syslog-format.c
+@@ -198,7 +198,7 @@ log_msg_parse_seq(LogMessage *self, const guchar **data, gint *length)
+
+   /* if the next char is not space, then we may try to read a date */
+
+-  if (*src != ' ')
++  if (!left || *src != ' ')
+     return FALSE;
+
+   log_msg_set_value(self, handles.cisco_seqid, (gchar *) *data, *length - left - 1);
+-- 
+2.18.2
+

meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-03.patch

@@ -0,0 +1,31 @@
+From 73b5c300b8fde5e7a4824baa83a04931279abb37 Mon Sep 17 00:00:00 2001
+From: László Várady <[email protected]>
+Date: Sat, 20 Aug 2022 12:42:38 +0200
+Subject: [PATCH] timeutils: fix iterating out of the range of timestamp buffer
+
+Signed-off-by: László Várady <[email protected]>
+Signed-off-by: Balazs Scheidler <[email protected]>
+
+Upstream-Status: Backport [https://github.com/syslog-ng/syslog-ng/commit/73b5c300b8fde5e7a4824baa83a04931279abb37]
+CVE: CVE-2022-38725
+Signed-off-by: Vijay Anusuri <[email protected]>
+---
+ modules/syslogformat/syslog-format.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c
+index b1b7f15..a6c8cee 100644
+--- a/modules/syslogformat/syslog-format.c
++++ b/modules/syslogformat/syslog-format.c
+@@ -258,7 +258,7 @@ __parse_usec(const guchar **data, gint *length)
+           src++;
+           (*length)--;
+         }
+-      while (isdigit(*src))
++      while (*length > 0 && isdigit(*src))
+         {
+           src++;
+           (*length)--;
+-- 
+2.18.2
+

meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-04.patch

@@ -0,0 +1,150 @@
+From 09f489c89c826293ff8cbd282cfc866ab56054c4 Mon Sep 17 00:00:00 2001
+From: László Várady <[email protected]>
+Date: Sat, 20 Aug 2022 14:29:43 +0200
+Subject: [PATCH] timeutils: name repeating constant
+
+Signed-off-by: László Várady <[email protected]>
+
+Upstream-Status: Backport [https://github.com/syslog-ng/syslog-ng/commit/09f489c89c826293ff8cbd282cfc866ab56054c4]
+CVE: CVE-2022-38725
+Signed-off-by: Vijay Anusuri <[email protected]>
+---
+ lib/str-format.c | 54 ++++++++++++++++++++++++++----------------------
+ 1 file changed, 29 insertions(+), 25 deletions(-)
+
+diff --git a/lib/str-format.c b/lib/str-format.c
+index efab984..194a635 100644
+--- a/lib/str-format.c
++++ b/lib/str-format.c
+@@ -366,41 +366,43 @@ scan_day_abbrev(const gchar **buf, gint *left, gint *wday)
+ {
+   *wday = -1;
+
+-  if (*left < 3)
++  const gsize abbrev_length = 3;
++
++  if (*left < abbrev_length)
+     return FALSE;
+
+   switch (**buf)
+     {
+     case 'S':
+-      if (strncasecmp(*buf, "Sun", 3) == 0)
++      if (strncasecmp(*buf, "Sun", abbrev_length) == 0)
+         *wday = 0;
+-      else if (strncasecmp(*buf, "Sat", 3) == 0)
++      else if (strncasecmp(*buf, "Sat", abbrev_length) == 0)
+         *wday = 6;
+       break;
+     case 'M':
+-      if (strncasecmp(*buf, "Mon", 3) == 0)
++      if (strncasecmp(*buf, "Mon", abbrev_length) == 0)
+         *wday = 1;
+       break;
+     case 'T':
+-      if (strncasecmp(*buf, "Tue", 3) == 0)
++      if (strncasecmp(*buf, "Tue", abbrev_length) == 0)
+         *wday = 2;
+-      else if (strncasecmp(*buf, "Thu", 3) == 0)
++      else if (strncasecmp(*buf, "Thu", abbrev_length) == 0)
+         *wday = 4;
+       break;
+     case 'W':
+-      if (strncasecmp(*buf, "Wed", 3) == 0)
++      if (strncasecmp(*buf, "Wed", abbrev_length) == 0)
+         *wday = 3;
+       break;
+     case 'F':
+-      if (strncasecmp(*buf, "Fri", 3) == 0)
++      if (strncasecmp(*buf, "Fri", abbrev_length) == 0)
+         *wday = 5;
+       break;
+     default:
+       return FALSE;
+     }
+
+-  (*buf) += 3;
+-  (*left) -= 3;
++  (*buf) += abbrev_length;
++  (*left) -= abbrev_length;
+   return TRUE;
+ }
+
+@@ -409,57 +411,59 @@ scan_month_abbrev(const gchar **buf, gint *left, gint *mon)
+ {
+   *mon = -1;
+
+-  if (*left < 3)
++  const gsize abbrev_length = 3;
++
++  if (*left < abbrev_length)
+     return FALSE;
+
+   switch (**buf)
+     {
+     case 'J':
+-      if (strncasecmp(*buf, "Jan", 3) == 0)
++      if (strncasecmp(*buf, "Jan", abbrev_length) == 0)
+         *mon = 0;
+-      else if (strncasecmp(*buf, "Jun", 3) == 0)
++      else if (strncasecmp(*buf, "Jun", abbrev_length) == 0)
+         *mon = 5;
+-      else if (strncasecmp(*buf, "Jul", 3) == 0)
++      else if (strncasecmp(*buf, "Jul", abbrev_length) == 0)
+         *mon = 6;
+       break;
+     case 'F':
+-      if (strncasecmp(*buf, "Feb", 3) == 0)
++      if (strncasecmp(*buf, "Feb", abbrev_length) == 0)
+         *mon = 1;
+       break;
+     case 'M':
+-      if (strncasecmp(*buf, "Mar", 3) == 0)
++      if (strncasecmp(*buf, "Mar", abbrev_length) == 0)
+         *mon = 2;
+-      else if (strncasecmp(*buf, "May", 3) == 0)
++      else if (strncasecmp(*buf, "May", abbrev_length) == 0)
+         *mon = 4;
+       break;
+     case 'A':
+-      if (strncasecmp(*buf, "Apr", 3) == 0)
++      if (strncasecmp(*buf, "Apr", abbrev_length) == 0)
+         *mon = 3;
+-      else if (strncasecmp(*buf, "Aug", 3) == 0)
++      else if (strncasecmp(*buf, "Aug", abbrev_length) == 0)
+         *mon = 7;
+       break;
+     case 'S':
+-      if (strncasecmp(*buf, "Sep", 3) == 0)
++      if (strncasecmp(*buf, "Sep", abbrev_length) == 0)
+         *mon = 8;
+       break;
+     case 'O':
+-      if (strncasecmp(*buf, "Oct", 3) == 0)
++      if (strncasecmp(*buf, "Oct", abbrev_length) == 0)
+         *mon = 9;
+       break;
+     case 'N':
+-      if (strncasecmp(*buf, "Nov", 3) == 0)
++      if (strncasecmp(*buf, "Nov", abbrev_length) == 0)
+         *mon = 10;
+       break;
+     case 'D':
+-      if (strncasecmp(*buf, "Dec", 3) == 0)
++      if (strncasecmp(*buf, "Dec", abbrev_length) == 0)
+         *mon = 11;
+       break;
+     default:
+       return FALSE;
+     }
+
+-  (*buf) += 3;
+-  (*left) -= 3;
++  (*buf) += abbrev_length;
++  (*left) -= abbrev_length;
+   return TRUE;
+ }
+
+-- 
+2.18.2
+

meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-05.patch

@@ -0,0 +1,47 @@
+From 8c6e2c1c41b0fcc5fbd464c35f4dac7102235396 Mon Sep 17 00:00:00 2001
+From: László Várady <[email protected]>
+Date: Sat, 20 Aug 2022 14:30:22 +0200
+Subject: [PATCH] timeutils: fix invalid calculation of ISO timestamp length
+
+Signed-off-by: László Várady <[email protected]>
+
+Upstream-Status: Backport [https://github.com/syslog-ng/syslog-ng/commit/8c6e2c1c41b0fcc5fbd464c35f4dac7102235396]
+CVE: CVE-2022-38725
+Signed-off-by: Vijay Anusuri <[email protected]>
+---
+ modules/syslogformat/syslog-format.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c
+index a6c8cee..8309a84 100644
+--- a/modules/syslogformat/syslog-format.c
++++ b/modules/syslogformat/syslog-format.c
+@@ -211,6 +211,8 @@ log_msg_parse_seq(LogMessage *self, const guchar **data, gint *length)
+ static guint32
+ __parse_iso_timezone(const guchar **data, gint *length)
+ {
++  g_assert(*length >= 6);
++
+   gint hours, mins;
+   const guchar *src = *data;
+   guint32 tz = 0;
+@@ -272,14 +274,14 @@ __parse_usec(const guchar **data, gint *length)
+ static gboolean
+ __has_iso_timezone(const guchar *src, gint length)
+ {
+-  return (length >= 5) &&
++  return (length >= 6) &&
+          (*src == '+' || *src == '-') &&
+          isdigit(*(src+1)) &&
+          isdigit(*(src+2)) &&
+          *(src+3) == ':' &&
+          isdigit(*(src+4)) &&
+          isdigit(*(src+5)) &&
+-         !isdigit(*(src+6));
++         (length < 7 || !isdigit(*(src+6)));
+ }
+
+ static gboolean
+-- 
+2.18.2
+

meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-06.patch

@@ -0,0 +1,30 @@
+From 56f881c5eaa3d8c02c96607c4b9e4eaf959a044d Mon Sep 17 00:00:00 2001
+From: László Várady <[email protected]>
+Date: Sat, 20 Aug 2022 14:30:51 +0200
+Subject: [PATCH] timeutils: fix out-of-bounds reading of data buffer
+
+Signed-off-by: László Várady <[email protected]>
+
+Upstream-Status: Backport [https://github.com/syslog-ng/syslog-ng/commit/56f881c5eaa3d8c02c96607c4b9e4eaf959a044d]
+CVE: CVE-2022-38725
+Signed-off-by: Vijay Anusuri <[email protected]>
+---
+ modules/syslogformat/syslog-format.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c
+index 8309a84..c562014 100644
+--- a/modules/syslogformat/syslog-format.c
++++ b/modules/syslogformat/syslog-format.c
+@@ -378,7 +378,7 @@ __parse_bsd_timestamp(const guchar **data, gint *length, const GTimeVal *now, st
+       if (!scan_pix_timestamp((const gchar **) &src, &left, tm))
+         return FALSE;
+
+-      if (*src == ':')
++      if (left && *src == ':')
+         {
+           src++;
+           left--;
+-- 
+2.18.2
+

meta-oe/recipes-support/syslog-ng/syslog-ng_3.16.1.bb

@@ -1,5 +1,6 @@
 require syslog-ng.inc
 
+PR .= "1"
 SRC_URI = "https://github.com/balabit/syslog-ng/releases/download/${BP}/${BP}.tar.gz \
            file://syslog-ng.conf.systemd \
            file://syslog-ng.conf.sysvinit \
@@ -10,6 +11,12 @@ SRC_URI = "https://github.com/balabit/syslog-ng/releases/download/${BP}/${BP}.ta
            file://fix-invalid-ownership.patch \
            file://syslog-ng.service-the-syslog-ng-service.patch \
            file://0001-syslog-ng-fix-segment-fault-during-service-start.patch \
+           file://CVE-2022-38725-01.patch \
+           file://CVE-2022-38725-02.patch \
+           file://CVE-2022-38725-03.patch \
+           file://CVE-2022-38725-04.patch \
+           file://CVE-2022-38725-05.patch \
+           file://CVE-2022-38725-06.patch \
            "
 
 SRC_URI[md5sum] = "72d44ad02c2e9ba0748b3ecd3f15a7ff"