diff --git a/backport-0001-gnutls-bugfix-Avoid-blocking-sockets-during-TLS-hand.patch b/backport-0001-gnutls-bugfix-Avoid-blocking-sockets-during-TLS-hand.patch new file mode 100644 index 0000000000000000000000000000000000000000..c865f7d7f8dfe8641b8907cecab914a1e20f41a8 --- /dev/null +++ b/backport-0001-gnutls-bugfix-Avoid-blocking-sockets-during-TLS-hand.patch @@ -0,0 +1,51 @@ +From f58cd6458f7d9bcb21ae1728c344f2fbef836cb8 Mon Sep 17 00:00:00 2001 +From: Cropi +Date: Mon, 18 Nov 2024 09:54:48 +0100 +Subject: [PATCH 1/9] gnutls bugfix: Avoid blocking sockets during TLS + handshake + +When forwarding logs to a TLS server, using a blocking socket +can lead to indefinite waiting during the gnutls_handshake() +call if the server does not respond as expected. + +This commit modifies the behavior to use non-blocking sockets, +ensuring that the rsyslog client does not hang indefinitely +waiting for a response. +--- + runtime/nsd_gtls.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c +index b9c0f8a..f5d5820 100644 +--- a/runtime/nsd_gtls.c ++++ b/runtime/nsd_gtls.c +@@ -2204,6 +2204,7 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host, char *device) + nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd; + int sock; + int gnuRet; ++ int flags; + const char *error_position; + # ifdef HAVE_GNUTLS_CERTIFICATE_TYPE_SET_PRIORITY + static const int cert_type_priority[2] = { GNUTLS_CRT_X509, 0 }; +@@ -2305,10 +2306,17 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host, char *device) + gnutls_dh_set_prime_bits(pThis->sess, dhMinBits); + } + +- /* assign the socket to GnuTls */ + CHKiRet(nsd_ptcp.GetSock(pThis->pTcp, &sock)); ++ /* Set the socket to non-blocking mode */ ++ flags = fcntl(sock, F_GETFL, 0); ++ if (flags != -1) { ++ fcntl(sock, F_SETFL, flags | O_NONBLOCK); ++ } ++ ++ /* assign the socket to GnuTls */ + gtlsSetTransportPtr(pThis, sock); + ++ + /* we need to store the hostname as an alternate mean of authentication if no + * permitted peer names are given. Using the hostname is quite useful. It permits + * auto-configuration of security if a commen root cert is present. -- rgerhards, 2008-05-26 +-- +2.33.0 + diff --git a/backport-0002-gnutls-bugfix-Add-timeout-to-GnuTLS-handshake.patch b/backport-0002-gnutls-bugfix-Add-timeout-to-GnuTLS-handshake.patch new file mode 100644 index 0000000000000000000000000000000000000000..18adbcdf5e08ee13868cb652ae193a6fac5d026e --- /dev/null +++ b/backport-0002-gnutls-bugfix-Add-timeout-to-GnuTLS-handshake.patch @@ -0,0 +1,48 @@ +From b7e3685067d1b1a8b17028a32bffec13cdca5e7f Mon Sep 17 00:00:00 2001 +From: Cropi +Date: Mon, 18 Nov 2024 13:51:02 +0100 +Subject: [PATCH 2/9] gnutls bugfix: Add timeout to GnuTLS handshake + +When forwarding logs to a remote server, it appears that an rsyslog +client with gtls netstream driver will wait forever on TLS handshake +to complete if the server doesn't answer. Adding a timeout fixes +the error. +--- + runtime/nsd_gtls.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c +index f5d5820..fe709f3 100644 +--- a/runtime/nsd_gtls.c ++++ b/runtime/nsd_gtls.c +@@ -2204,7 +2204,6 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host, char *device) + nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd; + int sock; + int gnuRet; +- int flags; + const char *error_position; + # ifdef HAVE_GNUTLS_CERTIFICATE_TYPE_SET_PRIORITY + static const int cert_type_priority[2] = { GNUTLS_CRT_X509, 0 }; +@@ -2307,11 +2306,6 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host, char *device) + } + + CHKiRet(nsd_ptcp.GetSock(pThis->pTcp, &sock)); +- /* Set the socket to non-blocking mode */ +- flags = fcntl(sock, F_GETFL, 0); +- if (flags != -1) { +- fcntl(sock, F_SETFL, flags | O_NONBLOCK); +- } + + /* assign the socket to GnuTls */ + gtlsSetTransportPtr(pThis, sock); +@@ -2324,6 +2318,7 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host, char *device) + CHKmalloc(pThis->pszConnectHost = (uchar*)strdup((char*)host)); + + /* and perform the handshake */ ++ gnutls_handshake_set_timeout(pThis->sess, 3000); + CHKgnutls(gnutls_handshake(pThis->sess)); + dbgprintf("GnuTLS handshake succeeded\n"); + +-- +2.33.0 + diff --git a/backport-0003-core-fix-potential-NULL-ptr-access-on-HUP-in-very-ea.patch b/backport-0003-core-fix-potential-NULL-ptr-access-on-HUP-in-very-ea.patch new file mode 100644 index 0000000000000000000000000000000000000000..73c2c3b9f990341febcecd76bfe2247438adc6f5 --- /dev/null +++ b/backport-0003-core-fix-potential-NULL-ptr-access-on-HUP-in-very-ea.patch @@ -0,0 +1,29 @@ +From ca08d74459e567fb7ceb7487d394ebb1a1e792e0 Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards +Date: Wed, 26 Feb 2025 17:34:03 +0100 +Subject: [PATCH 3/9] core: fix potential NULL ptr access on HUP in very early + startup phase + +found be clang static analyzer, no report from practice. This could +potentially happend during early startup when the config was not +yet full read while HUP was received. +--- + tools/rsyslogd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/rsyslogd.c b/tools/rsyslogd.c +index 5b6820b..ea33b89 100644 +--- a/tools/rsyslogd.c ++++ b/tools/rsyslogd.c +@@ -1964,7 +1964,7 @@ doHUP(void) + char buf[512]; + + DBGPRINTF("doHUP: doing modules\n"); +- if(ourConf->globals.bLogStatusMsgs) { ++ if(ourConf != NULL && ourConf->globals.bLogStatusMsgs) { + snprintf(buf, sizeof(buf), + "[origin software=\"rsyslogd\" " "swVersion=\"" VERSION + "\" x-pid=\"%d\" x-info=\"https://www.rsyslog.com\"] rsyslogd was HUPed", +-- +2.33.0 + diff --git a/backport-0004-omfwd-fix-segfault-in-UDP-freeaddrinfo.patch b/backport-0004-omfwd-fix-segfault-in-UDP-freeaddrinfo.patch new file mode 100644 index 0000000000000000000000000000000000000000..488bbe375f673a2d6ae257b7a198f3555d90325e --- /dev/null +++ b/backport-0004-omfwd-fix-segfault-in-UDP-freeaddrinfo.patch @@ -0,0 +1,31 @@ +From 382411618c0387c7513affb0499074f887795890 Mon Sep 17 00:00:00 2001 +From: azpema +Date: Thu, 20 Jun 2024 13:39:08 +0200 +Subject: [PATCH 4/9] omfwd: fix segfault in UDP freeaddrinfo + +--- + tools/omfwd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/omfwd.c b/tools/omfwd.c +index 2acd9e5..420fc41 100644 +--- a/tools/omfwd.c ++++ b/tools/omfwd.c +@@ -983,13 +983,13 @@ static rsRetVal doTryResume(wrkrInstanceData_t *pWrkrData) + hints.ai_family = res->ai_family; + hints.ai_flags |= AI_PASSIVE; + iErr = getaddrinfo(pData->address, pData->port, &hints, &addr); +- freeaddrinfo(addr); + if(iErr != 0) { + LogError(0, RS_RET_SUSPENDED, + "omfwd: cannot use bind address '%s' for host '%s': %s", + pData->address, pData->target, gai_strerror(iErr)); + ABORT_FINALIZE(RS_RET_SUSPENDED); + } ++ freeaddrinfo(addr); + bBindRequired = 1; + address = pData->address; + } +-- +2.33.0 + diff --git a/backport-0005-gnutls-TLS-driver-fix-small-memory-leak.patch b/backport-0005-gnutls-TLS-driver-fix-small-memory-leak.patch new file mode 100644 index 0000000000000000000000000000000000000000..66122be704c41d85fc855e048a162838a7212838 --- /dev/null +++ b/backport-0005-gnutls-TLS-driver-fix-small-memory-leak.patch @@ -0,0 +1,28 @@ +From 655d449bb21826c730db7f11e635a1ba2c8e6342 Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards +Date: Wed, 5 Mar 2025 12:13:38 +0100 +Subject: [PATCH 5/9] gnutls TLS driver: fix small memory leak + +found by CoverityScan + +see also https://github.com/rsyslog/rsyslog/pull/5329 +--- + runtime/nsd_gtls.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c +index fe709f3..4332c9a 100644 +--- a/runtime/nsd_gtls.c ++++ b/runtime/nsd_gtls.c +@@ -993,6 +993,8 @@ gtlsChkPeerFingerprint(nsd_gtls_t *pThis, gnutls_x509_crt_t *pCert) + finalize_it: + if(pstrFingerprint != NULL) + cstrDestruct(&pstrFingerprint); ++ if(pstrFingerprintSha256 != NULL) ++ cstrDestruct(&pstrFingerprintSha256); + RETiRet; + } + +-- +2.33.0 + diff --git a/backport-0006-rsyslog-startup-bugfix-cosmetic-memory-leak.patch b/backport-0006-rsyslog-startup-bugfix-cosmetic-memory-leak.patch new file mode 100644 index 0000000000000000000000000000000000000000..d3d19087284d732043325b2ad274dbac2fdac38e --- /dev/null +++ b/backport-0006-rsyslog-startup-bugfix-cosmetic-memory-leak.patch @@ -0,0 +1,49 @@ +From 055afd3ef2bf44c29f4e9f269eccf61bbdeb1be4 Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards +Date: Wed, 5 Mar 2025 12:20:16 +0100 +Subject: [PATCH 6/9] rsyslog startup bugfix: cosmetic memory leak + +This was detected by Coverity Scan, and we "fix" it to keep Coverity +silent. It is a < 100 byte mem leak that occurs once on startup. +--- + tools/rsyslogd.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/tools/rsyslogd.c b/tools/rsyslogd.c +index ea33b89..8593b9c 100644 +--- a/tools/rsyslogd.c ++++ b/tools/rsyslogd.c +@@ -298,7 +298,7 @@ writePidFile(void) + FILE *fp; + DEFiRet; + +- const char *tmpPidFile; ++ const char *tmpPidFile = NULL; + + if(!strcmp(PidFile, NO_PIDFILE)) { + FINALIZE; +@@ -308,6 +308,7 @@ writePidFile(void) + } + if(tmpPidFile == NULL) + tmpPidFile = PidFile; ++ + DBGPRINTF("rsyslogd: writing pidfile '%s'.\n", tmpPidFile); + if((fp = fopen((char*) tmpPidFile, "w")) == NULL) { + perror("rsyslogd: error writing pid file (creation stage)\n"); +@@ -321,9 +322,12 @@ writePidFile(void) + if(rename(tmpPidFile, PidFile) != 0) { + perror("rsyslogd: error writing pid file (rename stage)"); + } +- free((void*)tmpPidFile); + } ++ + finalize_it: ++ if(tmpPidFile != PidFile) { ++ free((void*)tmpPidFile); ++ } + RETiRet; + } + +-- +2.33.0 + diff --git a/backport-0007-core-fix-potential-misadressing-in-sigmask.patch b/backport-0007-core-fix-potential-misadressing-in-sigmask.patch new file mode 100644 index 0000000000000000000000000000000000000000..c5a1e20725a38bef64427ddaf592a9d3db2970b0 --- /dev/null +++ b/backport-0007-core-fix-potential-misadressing-in-sigmask.patch @@ -0,0 +1,27 @@ +From ff0ba8ae6c1510d778a55c483ba9616c7da6a0ef Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards +Date: Wed, 5 Mar 2025 15:17:56 +0100 +Subject: [PATCH 7/9] core: fix potential misadressing in sigmask + +This code is inside rsyslog for many years w/o any problems, but +during new testing we saw that the signal mask is potentially not +properly initialized. +--- + tools/rsyslogd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/rsyslogd.c b/tools/rsyslogd.c +index 8593b9c..2908cbd 100644 +--- a/tools/rsyslogd.c ++++ b/tools/rsyslogd.c +@@ -2166,6 +2166,7 @@ mainloop(void) + #endif + + do { ++ sigemptyset(&origmask); + pthread_sigmask(SIG_BLOCK, &sigblockset, &origmask); + pthread_mutex_lock(&mutChildDied); + need_free_mutex = 1; +-- +2.33.0 + diff --git a/backport-0008-covscan-remove-defect-type-of-RESOURCE_LEAK.patch b/backport-0008-covscan-remove-defect-type-of-RESOURCE_LEAK.patch new file mode 100644 index 0000000000000000000000000000000000000000..3716baab204613f96cf72fce839daf867e44ff22 --- /dev/null +++ b/backport-0008-covscan-remove-defect-type-of-RESOURCE_LEAK.patch @@ -0,0 +1,36 @@ +From 9f52a1fdc8cf8f70ff80c457c0bc98aab4ae2549 Mon Sep 17 00:00:00 2001 +From: alakatos +Date: Thu, 15 Feb 2024 11:03:36 +0100 +Subject: [PATCH 8/9] covscan: remove defect type of RESOURCE_LEAK + +Fix memory leaks when evaluating variable in rainerscript +--- + grammar/rainerscript.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grammar/rainerscript.c b/grammar/rainerscript.c +index db7edbb..729cbef 100644 +--- a/grammar/rainerscript.c ++++ b/grammar/rainerscript.c +@@ -2938,7 +2938,7 @@ evalVar(struct cnfvar *__restrict__ const var, void *__restrict__ const usrptr, + unsigned short bMustBeFreed = 0; + rsRetVal localRet; + struct json_object *json; +- uchar *cstr; ++ uchar *cstr = NULL; + + if(var->prop.id == PROP_CEE || + var->prop.id == PROP_LOCAL_VAR || +@@ -2957,8 +2957,8 @@ evalVar(struct cnfvar *__restrict__ const var, void *__restrict__ const usrptr, + ret->d.estr = (localRet != RS_RET_OK || cstr == NULL) ? + es_newStr(1) + : es_newStrFromCStr((char*) cstr, strlen((char*) cstr)); +- free(cstr); + } ++ free(cstr); + } else { + ret->datatype = 'S'; + pszProp = (uchar*) MsgGetProp((smsg_t*)usrptr, NULL, &var->prop, &propLen, &bMustBeFreed, NULL); +-- +2.33.0 + diff --git a/backport-0009-Fix-a-buffer-overflow-when-the-argument-to-replace-i.patch b/backport-0009-Fix-a-buffer-overflow-when-the-argument-to-replace-i.patch new file mode 100644 index 0000000000000000000000000000000000000000..8c6aee99094af1c484d9df01ea17eaaf95ea66e9 --- /dev/null +++ b/backport-0009-Fix-a-buffer-overflow-when-the-argument-to-replace-i.patch @@ -0,0 +1,67 @@ +From 799e79e03d732d5e088d21b0787e530901165580 Mon Sep 17 00:00:00 2001 +From: Lincoln Ramsay +Date: Thu, 6 Mar 2025 06:26:47 +0800 +Subject: [PATCH 9/9] Fix a buffer overflow when the argument to replace is + empty + +We have these expressions in rsyslogd.conf. + + set $!rsyslog_FileFormat = exec_template("RSYSLOG_FileFormat") + set $!localheader = re_extract($!rsyslog_FileFormat, "[^ ]+.* +port[0-9]", 0, 0, ""); + set $!localpattern = re_extract($!rsyslog_FileFormat, " [^ ]+ +[^ ]+ +port[0-9]", 0, 0, ""); + set $!localheader = replace($!localheader, $!localpattern, " "); + +We have a message like this arriving. + + <30>Feb 24 22:08:21 hostname port03 'label' RXDATA: \n + +It was observed that when 2 of these messages arrive in a row, rsyslogd +crashes. This is clearly due to memory corruption, as the crash comes +from within calloc. + +Unlike the crash, valgrind only complained about the first message. It +reported that the 'find' variable was being accessed in the replace +function, reading past allocated data. + +The localpattern variable ends up "empty" (null?), because the pattern +fails to match. This ends up passed into the replace function as an +es_str_t with a length and buffer length of 0. There is no string data, +not even a null terminator. + +As a result, the 'find' pointer is invalid, and accessing it is an +error. Protect against accessing the 'find' pointer when the buffer is +empty by exiting the two loops when j == lfind and lfind == 0. + +This removes the report from valgrind, and stops rsyslogd from crashing. +--- + grammar/rainerscript.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/grammar/rainerscript.c b/grammar/rainerscript.c +index 729cbef..88c47e5 100644 +--- a/grammar/rainerscript.c ++++ b/grammar/rainerscript.c +@@ -1755,6 +1755,7 @@ doFuncReplace(struct svar *__restrict__ const operandVal, struct svar *__restric + if (j == lfind) { + lDst = lDst - lfind + lReplaceWith; + j = 0; ++ if (lfind == 0) break; + } + if (i == lSrc) break; + if (src_buff[i] == find[j]) { +@@ -1770,9 +1771,10 @@ doFuncReplace(struct svar *__restrict__ const operandVal, struct svar *__restric + uint k, s; + for(i = j = s = 0; i <= lSrc; i++, s++) { + if (j == lfind) { +- s -= j; +- for (k = 0; k < lReplaceWith; k++, s++) dest[s] = replaceWith[k]; ++ s -= j; ++ for (k = 0; k < lReplaceWith; k++, s++) dest[s] = replaceWith[k]; + j = 0; ++ if (lfind == 0) break; + } + if (i == lSrc) break; + if (src_buff[i] == find[j]) { +-- +2.33.0 + diff --git a/rsyslog.spec b/rsyslog.spec index f10027ad5ea5114363883fe3fcd5051c947b6354..999908360c3e01424254d64e2c6db44569fcfdb2 100644 --- a/rsyslog.spec +++ b/rsyslog.spec @@ -7,7 +7,7 @@ Name: rsyslog Version: 8.2312.0 -Release: 7 +Release: 8 Summary: The rocket-fast system for log processing License: (GPLv3+ and ASL 2.0) URL: http://www.rsyslog.com/ @@ -44,6 +44,15 @@ Patch6008: backport-Fix-runConf-NULL-pointer-refence.patch Patch6009: backport-rainerscript-do-not-try-to-call-a-function-if-it-doe.patch Patch6010: backport-nsd_ptcp-regression-fix-remove-debugging-messages-em.patch Patch6011: backport-Fix-legacy-ActionQueueDiscardMark-parameter.patch +Patch6012: backport-0001-gnutls-bugfix-Avoid-blocking-sockets-during-TLS-hand.patch +Patch6013: backport-0002-gnutls-bugfix-Add-timeout-to-GnuTLS-handshake.patch +Patch6014: backport-0003-core-fix-potential-NULL-ptr-access-on-HUP-in-very-ea.patch +Patch6015: backport-0004-omfwd-fix-segfault-in-UDP-freeaddrinfo.patch +Patch6016: backport-0005-gnutls-TLS-driver-fix-small-memory-leak.patch +Patch6017: backport-0006-rsyslog-startup-bugfix-cosmetic-memory-leak.patch +Patch6018: backport-0007-core-fix-potential-misadressing-in-sigmask.patch +Patch6019: backport-0008-covscan-remove-defect-type-of-RESOURCE_LEAK.patch +Patch6020: backport-0009-Fix-a-buffer-overflow-when-the-argument-to-replace-i.patch BuildRequires: gcc autoconf automake bison dos2unix flex pkgconfig python3-docutils libtool BuildRequires: libgcrypt-devel libuuid-devel zlib-devel krb5-devel libnet-devel gnutls-devel @@ -520,6 +529,20 @@ done %{_mandir}/man1/rscryutil.1.gz %changelog +* Mon Aug 4 2025 zhangqiumiao - 8.2312.0-8 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:gnutls bugfix: Avoid blocking sockets during TLS handshake + gnutls bugfix: Add timeout to GnuTLS handshake + core: fix potential NULL ptr access on HUP in very early startup phase + omfwd: fix segfault in UDP freeaddrinfo + gnutls TLS driver: fix small memory leak + rsyslog startup bugfix: cosmetic memory leak + core: fix potential misadressing in sigmask + covscan: remove defect type of RESOURCE_LEAK + Fix a buffer overflow when the argument to replace is empty + * Sat Dec 21 2024 zhangqiumiao - 8.2312.0-7 - Type:bugfix - ID:NA