diff options
Diffstat (limited to 'meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-0007.patch')
-rw-r--r-- | meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-0007.patch | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-0007.patch b/meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-0007.patch new file mode 100644 index 0000000000..abb36fdf5f --- /dev/null +++ b/meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725-0007.patch @@ -0,0 +1,81 @@ +From 8c6e2c1c41b0fcc5fbd464c35f4dac7102235396 Mon Sep 17 00:00:00 2001 +From: Laszlo Varady <laszlo.varady@protonmail.com> +Date: Sat, 20 Aug 2022 14:30:22 +0200 +Subject: [PATCH 7/8] timeutils: fix invalid calculation of ISO timestamp length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE: CVE-2022-38725 + +Upstream-Status: Backport +[https://github.com/syslog-ng/syslog-ng/commit/8c6e2c1c41b0fcc5fbd464c35f4dac7102235396] + +Signed-off-by: László Várady <laszlo.varady@protonmail.com> + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + lib/timeutils/scan-timestamp.c | 8 ++++++-- + lib/timeutils/tests/test_scan-timestamp.c | 7 +++++++ + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/lib/timeutils/scan-timestamp.c b/lib/timeutils/scan-timestamp.c +index d22d50973..125264677 100644 +--- a/lib/timeutils/scan-timestamp.c ++++ b/lib/timeutils/scan-timestamp.c +@@ -350,19 +350,21 @@ __parse_usec(const guchar **data, gint *length) + static gboolean + __has_iso_timezone(const guchar *src, gint length) + { +- return (length >= 5) && ++ return (length >= 6) && + (*src == '+' || *src == '-') && + isdigit(*(src+1)) && + isdigit(*(src+2)) && + *(src+3) == ':' && + isdigit(*(src+4)) && + isdigit(*(src+5)) && +- !isdigit(*(src+6)); ++ (length < 7 || !isdigit(*(src+6))); + } + + static guint32 + __parse_iso_timezone(const guchar **data, gint *length) + { ++ g_assert(*length >= 6); ++ + gint hours, mins; + const guchar *src = *data; + guint32 tz = 0; +@@ -372,8 +374,10 @@ __parse_iso_timezone(const guchar **data, gint *length) + hours = (*(src + 1) - '0') * 10 + *(src + 2) - '0'; + mins = (*(src + 4) - '0') * 10 + *(src + 5) - '0'; + tz = sign * (hours * 3600 + mins * 60); ++ + src += 6; + (*length) -= 6; ++ + *data = src; + return tz; + } +diff --git a/lib/timeutils/tests/test_scan-timestamp.c b/lib/timeutils/tests/test_scan-timestamp.c +index 468bbf779..d18bdc65d 100644 +--- a/lib/timeutils/tests/test_scan-timestamp.c ++++ b/lib/timeutils/tests/test_scan-timestamp.c +@@ -264,6 +264,13 @@ Test(parse_timestamp, non_zero_terminated_rfc5424_input_is_handled_properly) + + } + ++Test(parse_timestamp, non_zero_terminated_rfc5424_timestamp_only) ++{ ++ const gchar *ts = "2022-08-17T05:02:28.417+03:00"; ++ gint ts_len = strlen(ts); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len, ts); ++} ++ + + Test(parse_timestamp, daylight_saving_behavior_at_spring_with_explicit_timezones) + { +-- +2.34.1 + |