#1010619 rsyslog: CVE-2022-24903: Potential heap buffer overflow in TCP syslog server (receiver) components #1010619
- Package:
- src:rsyslog
- Source:
- rsyslog
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2022-05-29 18:36:11 UTC
- Severity:
- grave
- Tags:
Hi, The following vulnerability was published for rsyslog. Filling for now as grave, but we might downgrade. Probably affected configurations are not that common if I understood correctly, the advisory has some comments about it as well[1]. CVE-2022-24903[0]: | Potential heap buffer overflow in TCP syslog server (receiver) | components If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24903 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24903 [1] https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8#advisory-comment-72243 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Am 05.05.22 um 17:10 schrieb Salvatore Bonaccorso: Yeah, I think this feature is obscure enough (and not enabled by default) that non-RC severity is fine.
Hi Michael, [looping in the sec-team for completeness] Thinking a bit more on it I see two aspects: * Usually following recommendations one should not expose recievers to public, which makes the risk considerably lower. * Though still reciervers enable octed-framing by default. So I think to leave the severity actually as it is, and consider it RC and at earliest point possible for you either do a cherry-picked upload on top of 8.2204.0-1 or just upload 8.2204.1 to unstable, I htink I would prefer the later. Secondly, about releasing a DSA, still slight borderline, but I think we would be safer to release one. I can help rpepare updates for bullseye and buster here if needed and wanted. I the git repository I see 8.2102.0-2+deb11u1 as released for bullseye but this change actually never landed to bullseye and was not acked by SRM? Regards, Salvatore
note: 8.2204.1 is 8..2204.0 with just the fix cherry-picked. No other changes. Rainer El sáb, 7 may 2022 a las 14:48, Salvatore Bonaccorso (<carnil@debian.org>) escribió:
We believe that the bug you reported is fixed in the latest version of
rsyslog, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1010619@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated rsyslog package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 09 May 2022 15:44:08 +0200
Source: rsyslog
Architecture: source
Version: 8.2204.1-1
Distribution: unstable
Urgency: medium
Maintainer: Michael Biebl <biebl@debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Closes: 1010619
Changes:
rsyslog (8.2204.1-1) unstable; urgency=medium
.
* New upstream version 8.2204.1
- Fix potential heap buffer overflow in imptcp, imtcp, imgssapi and other
TCP syslog reception modules when octet-counted framing is used.
(CVE-2022-24903, Closes: #1010619)
Checksums-Sha1:
ae5bde152e4725e3c35a09c1e545988baae81b9d 3226 rsyslog_8.2204.1-1.dsc
3b0daa9c1603326034f984af5545d0be7cd6a78c 3243183 rsyslog_8.2204.1.orig.tar.gz
c0c636d039aa594d587dbd5db42923c0ea3983f2 28572 rsyslog_8.2204.1-1.debian.tar.xz
3e0c5cc573b08b250f68a7b32783dcc09930d7e1 8242 rsyslog_8.2204.1-1_source.buildinfo
Checksums-Sha256:
8887fb1e2630c8d07a98ab46e5e7781dab9cf36ab691b0484dc8851380abb29d 3226 rsyslog_8.2204.1-1.dsc
a6d731e46ad3d64f6ad4b19bbf1bf56ca4760a44a24bb96823189dc2e71f7028 3243183 rsyslog_8.2204.1.orig.tar.gz
122a28bbffad5ae94dca77db5da0d95be933887468232681a88033ce04bef965 28572 rsyslog_8.2204.1-1.debian.tar.xz
047ac857e7731a8616df8da541766c31a9fbf1d95277583f9f25ede345f5ee5c 8242 rsyslog_8.2204.1-1_source.buildinfo
Files:
0b1b2bde76868e552676ab54f8c1bf9a 3226 admin important rsyslog_8.2204.1-1.dsc
44526816f93026bce67711f692b4a3da 3243183 admin important rsyslog_8.2204.1.orig.tar.gz
58ffc8473b727ece4f912ddad5876532 28572 admin important rsyslog_8.2204.1-1.debian.tar.xz
a20bc5b58ba1168362cbc068f17a5e44 8242 admin important rsyslog_8.2204.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAmJ5KrgACgkQauHfDWCP
Ity1rw//VdnArDCHTAEWjB2Cts/PqYOgQZR8A5EBHm+i9B7BvC+KrtEjMBwDJV3m
VQ5NcSFyo34vqMHCZ5Dq4CRTUVNuTiXJZcy2cP6rlMpT3Z4bqn1Gewu2H+eHM9gV
Z5cpB1gII57RzQZKWWCtL0siOx+iSQIf2819p5tZJDjgifvSAbjqYOlgdm4ik+Xp
V0MUKmX8iTsyO5ntu/U7KaFe4OEiFcOLvALcx/fuQkxSD529ouVvXqA2ZAYlXr9a
LoTT2CYTF/eEM9xO2kL+BKeldMihetBBRDli/LQE+R/sS3zI1lmUDbXOgAUFD0Vs
8/GWcEqjn8sqJ/XWAfoUTfLu7opP5/52f4rpushKQeaxjH/VO6cBnfJ/MqVrDSFq
PmV4M+vHuGQh1ikOyT1LNmEUi8PHE+YkAbRqODK6w+3AS9XFMeDUmg1rcYGGvkRD
d6qJXHZmsbaZv8y6868N+cpjHZWvi3ZpcFxZEvIiP3PYw5atFj3g67abGmMzkZoq
s3NdJnj3rO03QF+g0yRMQsE6AU2AscDhZFq2XnmjjAApdWsvsZJzVLQJzpphGOZB
5fkqKn/nwRgQO8Ha8DoA+u98ZQwhZESy3OUfnUI3KE04qrihPrb0NQIdWIQH43Yx
cKnkszVjGUIj/kyYSwlqr7dD9zbDrEY6NsZr6GAgwK62FVApxIE=
=ohqU
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
rsyslog, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1010619@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated rsyslog package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 20 May 2022 23:05:15 +0200
Source: rsyslog
Architecture: source
Version: 8.2102.0-2+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Michael Biebl <biebl@debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Closes: 1010619
Changes:
rsyslog (8.2102.0-2+deb11u1) bullseye-security; urgency=medium
.
* Fix potential heap buffer overflow in TCP syslog server (receiver)
components when octet-counted framing is used
(CVE-2022-24903, Closes: #1010619)
Checksums-Sha1:
da1f3f8b5246cb6d755999b56e17d72d032256c2 3109 rsyslog_8.2102.0-2+deb11u1.dsc
fdda78ed808e7a0dca03ead9227a0a5d913a050f 3123684 rsyslog_8.2102.0.orig.tar.gz
8392d443c5fc4ea6e2064a93c9bc595ac45f6ab4 30620 rsyslog_8.2102.0-2+deb11u1.debian.tar.xz
6717f7e4ac63ea1942a1c91bcd50a3a8fd7dd7e1 8326 rsyslog_8.2102.0-2+deb11u1_source.buildinfo
Checksums-Sha256:
a1939d9d33c87007c259245a6f57a51fe4a7885a8964af3e4ec31acdc8d4e24f 3109 rsyslog_8.2102.0-2+deb11u1.dsc
94ee0d0312c2edea737665594cbe4a9475e4e3b593e12b5b8ae3a743ac9c72a7 3123684 rsyslog_8.2102.0.orig.tar.gz
a8af4719b549b006bfe8be7278c3fb743037db8b8c85715c1b0da5e492dee73a 30620 rsyslog_8.2102.0-2+deb11u1.debian.tar.xz
b38eacec08d7084812ec16f1650142d5f48d0daa620406dffbe68b8102a3322e 8326 rsyslog_8.2102.0-2+deb11u1_source.buildinfo
Files:
4f4f68f33db2f3d5e5ced58dd3ac7ee6 3109 admin important rsyslog_8.2102.0-2+deb11u1.dsc
1f6150dfd2ef38db37c2165e98d2f2b1 3123684 admin important rsyslog_8.2102.0.orig.tar.gz
1526ed39ebbeb52e3f3f89d1bd0ebee2 30620 admin important rsyslog_8.2102.0-2+deb11u1.debian.tar.xz
e1d9ec20262888447553f571ccdc6803 8326 admin important rsyslog_8.2102.0-2+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAmKIHJIACgkQauHfDWCP
Itxykw//WGZSrd482oLaf85bTR7D15/V5DxcmC5uKp+PgLW/WRCSiBfsVhr5fpOH
1UMjbqNeKIXDtL7tf5+EduAJp8nRDgKpokJsfEUljKv+mRTag7lbxyLE4mGT/+3d
DwDO3DWt56Hz+0SNKJb5mpNS0FB0++xhQH/0FarVIkK1Myb+JkLDlSu/Lv4sLouw
pWrOKNcXcSJUz7K5zUjs+K9NzamdhMvspaz+aaOggERMTA2Ames//MrzdPiTmCXH
0oe6K/jJPrHV+COx9eHv2ShrFHyanuDz4BI2gpBlw4MQia+9JakuMAhPjUlAXe4k
7I45c3XO2oldHwQodV1j/LHODJv+Zde6OETUFwdK5Vto7uz9RfRlvONSBJAF+VAG
8k7vI6idlUg0Dxufm6TMvJG5XTFP+2AYBjDefkf+Its8yqI/1a3HTTNh27HrTX0Q
Nt363BbVn0TFhlnbtOK0TnGp24XpLCE6n6mrSYiO+yu2FA8Ll3lbj4nIAQaM+bHk
JcBkQSd7rkAOuydzyxQGqblA2PGvtr6ZPDlMX/XxvIXZSMMTXK5zpy2Q46Dc3fP/
OJ0HvHUH3LslMhAuBPDnO1KsMzDy/VwXWA9luG1MEsigiF2h2raewVf109U+wYmj
kxq4ZPxHbxc7czlTEEqc8Ue1nfU8DDyp324VCfTguSpLQcVPBQA=
=MISM
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
rsyslog, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1010619@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated rsyslog package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 25 May 2022 16:51:45 +0200
Source: rsyslog
Architecture: source
Version: 8.1901.0-1+deb10u2
Distribution: buster-security
Urgency: medium
Maintainer: Michael Biebl <biebl@debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Closes: 1010619
Changes:
rsyslog (8.1901.0-1+deb10u2) buster-security; urgency=medium
.
* Fix potential heap buffer overflow in TCP syslog server (receiver)
components when octet-counted framing is used
(CVE-2022-24903, Closes: #1010619)
Checksums-Sha1:
fcf5ef844da6715aaa059b1579b725cca8844342 2974 rsyslog_8.1901.0-1+deb10u2.dsc
7223f77a4ea75a7740130cc04ea3df052e82bdfd 2750872 rsyslog_8.1901.0.orig.tar.gz
a1dc51c9bf3836f8272bf4bd57ae07c971145414 28772 rsyslog_8.1901.0-1+deb10u2.debian.tar.xz
d35fba8d49763a589a0411839a2980a57b1efa62 7230 rsyslog_8.1901.0-1+deb10u2_source.buildinfo
Checksums-Sha256:
85ead922b9cb2f3d9cb4b0fa350f8b2ad3183be15e5493f1fd7b7d3b750061c3 2974 rsyslog_8.1901.0-1+deb10u2.dsc
ab02c1f11e21b54cfaa68797f083d6f73d9d72ce7a1c04037fbe0d4cee6f27c4 2750872 rsyslog_8.1901.0.orig.tar.gz
bb5e081bad738a9af2c66116fac01a345f46cf64a3e112d0b5d7eba028c21fd6 28772 rsyslog_8.1901.0-1+deb10u2.debian.tar.xz
709da22c040b6f53564ed7bbed681cd992ef9ef8896714ddd33211f54d64b9c1 7230 rsyslog_8.1901.0-1+deb10u2_source.buildinfo
Files:
d77fea21530435c1cbcd3054413789d8 2974 admin important rsyslog_8.1901.0-1+deb10u2.dsc
f068dadcf81a559db3be760abda0aaf8 2750872 admin important rsyslog_8.1901.0.orig.tar.gz
b1350272bcd3912981cbaa61a0c867d3 28772 admin important rsyslog_8.1901.0-1+deb10u2.debian.tar.xz
a56d263ffd185393eb42c51059ce8ced 7230 admin important rsyslog_8.1901.0-1+deb10u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAmKOjGcACgkQauHfDWCP
ItyobA/8DviZDvuAKa4YiGSfrzDPvlIyZdVB+SwbGzMtoRAsuxOL+k+kxKF8gxBg
V2ZeQSe1ceo4qQUOW9xkWwr9K7kvg+aO/M1ulnUlTxHH0t2uW3+YrH97UVUxqhGm
ZQtHOC+FOA/jhpMF6h6zF+8c4SZTOe+/fNo/TkrY+ndlyui7zMj1fb+O0b4a0Ojt
fqGmb7IypWE8mjOXY5LuuMMLk87CxKqPFNzSbAeENPf2fyU5YKK4v6nJ1jUV16q5
wLqn7F1/F3qAxtkyOXM8csJIJRQZdfQQKq0MXjnz3m2efiFXe/jo7UZDI5Nlws7I
fWgGePEGWon1OWaSGU2JNiG0g219q0NReb9cY7c4HYUtJ7Q98JvJZRg0nSE/RtiE
njaKvhCe/i/qnapCSydn1F9wWvrNnkkAUrnnT9sNgrxGfo94j08fZt1Dzfpz9w8Q
5Cc4/g+C0nXZtSXk+rvGVxZnThm9c+ScMAs2j03Gh9lRD/9IPZiqKw0w/ShMg9wq
6r5Yn955LQntLqZH852WKiC7LJ7vjlUxQakzcwBhGifTxDOKHCtsm/XHZDQxPmVB
9ZTbRrYjU92P5t009LDIiJzwEU6CcOKI5IhGyhDtjEGXBXxtX0gl+S5Udgfzyqz7
65WBHpBRbbkj252U4EgGRSDf9qpslwY9pjjWUDFR+Doed7apT+4=
=l+w3
-----END PGP SIGNATURE-----