Hello community, here is the log from the commit of package rsyslog for openSUSE:11.1 checked in at Wed Dec 17 16:57:51 CET 2008. -------- --- old-versions/11.1/all/rsyslog/rsyslog.changes 2008-09-10 15:11:11.000000000 +0200 +++ /mounts/work_src_done/11.1/rsyslog/rsyslog.changes 2008-12-15 14:51:15.000000000 +0100 @@ -1,0 +2,8 @@ +Mon Dec 15 14:51:08 CET 2008 - mt@suse.de + +- Security fix to honor $AllowedSender settings (bnc#457273). +- Security fix [DoS] from 3.20.2 to emit a discard message every + minute only (when DisallowWarning enabled) instead of every time; + this prevernts an attacker can fill the disk (bnc#457273). + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.1/all/rsyslog Destination is old-versions/11.1/UPDATES/all/rsyslog calling whatdependson for 11.1-i586 New: ---- rsyslog-3.18.3-honor-AllowedSender.bnc457273.dif rsyslog-3.18.3-imudp-discard-msg-DoS.bnc457273.dif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rsyslog.spec ++++++ --- /var/tmp/diff_new_pack.C21271/_old 2008-12-17 16:57:38.000000000 +0100 +++ /var/tmp/diff_new_pack.C21271/_new 2008-12-17 16:57:38.000000000 +0100 @@ -23,7 +23,7 @@ %define rsyslog_docdir %{_docdir}/%{name} %define install_all_modules_in_lib 0 Version: 3.18.3 -Release: 4 +Release: 4.32.1 License: GPL v3 or later Group: System/Daemons Summary: Rsyslog, the enhanced syslogd for Linux and Unix @@ -36,6 +36,8 @@ Source4: rsyslog.d.remote.conf.in Patch0: %{name}-%{upstream_version}.dif Patch1: %{name}-%{upstream_version}-moddirs.dif +Patch2: %{name}-%{upstream_version}-honor-AllowedSender.bnc457273.dif +Patch3: %{name}-%{upstream_version}-imudp-discard-msg-DoS.bnc457273.dif AutoReqProv: on PreReq: %insserv_prereq %fillup_prereq /sbin/klogd /etc/init.d/syslog /sbin/checkproc Provides: syslog @@ -167,6 +169,8 @@ dos2unix doc/*.html %patch0 -p0 %patch1 -p0 +%patch2 -p0 +%patch3 -p0 %build export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -W -Wall" @@ -442,6 +446,11 @@ %endif %changelog +* Mon Dec 15 2008 mt@suse.de +- Security fix to honor $AllowedSender settings (bnc#457273). +- Security fix [DoS] from 3.20.2 to emit a discard message every + minute only (when DisallowWarning enabled) instead of every time; + this prevernts an attacker can fill the disk (bnc#457273). * Wed Sep 10 2008 schwab@suse.de - Run autoreconf. * Tue Sep 09 2008 mt@suse.de ++++++ rsyslog-3.18.3-honor-AllowedSender.bnc457273.dif ++++++ --- net.c +++ net.c 2008/12/15 12:01:28 @@ -80,6 +80,31 @@ int ACLAddHostnameOnFail = 0; /* add hostname to acl when DNS resolving has failed */ int ACLDontResolve = 0; /* add hostname to acl instead of resolving it to IP(s) */ +/* sets the correct allow root pointer based on provided type + * rgerhards, 2008-12-01 + */ +static inline rsRetVal +setAllowRoot(struct AllowedSenders **ppAllowRoot, uchar *pszType) +{ + DEFiRet; + + if(!strcmp((char*)pszType, "UDP")) + *ppAllowRoot = pAllowedSenders_UDP; + else if(!strcmp((char*)pszType, "TCP")) + *ppAllowRoot = pAllowedSenders_TCP; +#ifdef USE_GSSAPI + else if(!strcmp((char*)pszType, "GSS")) + *ppAllowRoot = pAllowedSenders_GSS; +#endif + else { + dbgprintf("program error: invalid allowed sender ID '%s', denying...\n", pszType); + ABORT_FINALIZE(RS_RET_CODE_ERR); /* everything is invalid for an invalid type */ + } + +finalize_it: + RETiRet; +} + /* Code for handling allowed/disallowed senders */ static inline void MaskIP6 (struct in6_addr *addr, uint8_t bits) { @@ -143,24 +168,28 @@ } /* function to clear the allowed sender structure in cases where - * it must be freed (occurs most often when HUPed. - * TODO: reconsider recursive implementation - * I think there is also a memory leak, because only the last entry - * is acutally deleted... -- rgerhards, 2007-12-25 + * it must be freed (occurs most often when HUPed). + * rgerhards, 2008-12-02: revamped this code when we fixed the + * interface definition. Now an iterative algorithm is used. */ -void clearAllowedSenders (struct AllowedSenders *pAllow) +static void +clearAllowedSenders(uchar *pszType) { - if (pAllow != NULL) { - if (pAllow->pNext != NULL) - clearAllowedSenders (pAllow->pNext); - else { - if (F_ISSET(pAllow->allowedSender.flags, ADDR_NAME)) - free (pAllow->allowedSender.addr.HostWildcard); - else - free (pAllow->allowedSender.addr.NetAddr); - - free (pAllow); - } + struct AllowedSenders *pPrev; + struct AllowedSenders *pCurr; + + if(setAllowRoot(&pCurr, pszType) != RS_RET_OK) + return; /* if something went wrong, so let's leave */ + + while(pCurr != NULL) { + pPrev = pCurr; + pCurr = pCurr->pNext; + /* now delete the entry we are right now processing */ + if(F_ISSET(pPrev->allowedSender.flags, ADDR_NAME)) + free(pPrev->allowedSender.addr.HostWildcard); + else + free(pPrev->allowedSender.addr.NetAddr); + free(pPrev); } } @@ -545,12 +574,16 @@ * returns 1, if the sender is allowed, 0 otherwise. * rgerhards, 2005-09-26 */ -static int isAllowedSender(struct AllowedSenders *pAllowRoot, struct sockaddr *pFrom, const char *pszFromHost) +static int isAllowedSender(uchar *pszType, struct sockaddr *pFrom, const char *pszFromHost) { struct AllowedSenders *pAllow; - + struct AllowedSenders *pAllowRoot; + assert(pFrom != NULL); + if(setAllowRoot(&pAllowRoot, pszType) != RS_RET_OK) + return 0; /* if something went wrong, we denie access - that's the better choice... */ + if(pAllowRoot == NULL) return 1; /* checking disabled, everything is valid! */ --- net.h +++ net.h 2008/12/15 12:02:00 @@ -92,19 +92,16 @@ /* things to go away after proper modularization */ rsRetVal (*addAllowedSenderLine)(char* pName, uchar** ppRestOfConfLine); void (*PrintAllowedSenders)(int iListToPrint); - void (*clearAllowedSenders) (); + void (*clearAllowedSenders)(uchar *pszType); void (*debugListenInfo)(int fd, char *type); int *(*create_udp_socket)(uchar *hostname, uchar *LogPort, int bIsServer); void (*closeUDPListenSockets)(int *finet); - int (*isAllowedSender)(struct AllowedSenders *pAllowRoot, struct sockaddr *pFrom, const char *pszFromHost); + int (*isAllowedSender)(uchar *pszType, struct sockaddr *pFrom, const char *pszFromHost); rsRetVal (*getLocalHostname)(uchar**); int (*should_use_so_bsdcompat)(void); /* data memebers - these should go away over time... TODO */ int *pACLAddHostnameOnFail; /* add hostname to acl when DNS resolving has failed */ int *pACLDontResolve; /* add hostname to acl instead of resolving it to IP(s) */ - struct AllowedSenders *pAllowedSenders_UDP; - struct AllowedSenders *pAllowedSenders_TCP; - struct AllowedSenders *pAllowedSenders_GSS; ENDinterface(net) #define netCURR_IF_VERSION 2 /* increment whenever you change the interface structure! */ --- plugins/imgssapi/imgssapi.c +++ plugins/imgssapi/imgssapi.c 2008/12/15 12:08:07 @@ -172,10 +172,10 @@ pGSess = (gss_sess_t*) pUsrSess; if((pGSrv->allowedMethods & ALLOWEDMETHOD_TCP) && - net.isAllowedSender(net.pAllowedSenders_TCP, addr, (char*)fromHostFQDN)) + net.isAllowedSender((uchar*)"TCP", addr, (char*)fromHostFQDN)) allowedMethods |= ALLOWEDMETHOD_TCP; if((pGSrv->allowedMethods & ALLOWEDMETHOD_GSS) && - net.isAllowedSender(net.pAllowedSenders_GSS, addr, (char*)fromHostFQDN)) + net.isAllowedSender((uchar*)"GSS", addr, (char*)fromHostFQDN)) allowedMethods |= ALLOWEDMETHOD_GSS; if(allowedMethods && pGSess != NULL) pGSess->allowedMethods = allowedMethods; @@ -645,14 +645,8 @@ BEGINafterRun CODESTARTafterRun /* do cleanup here */ - if (net.pAllowedSenders_TCP != NULL) { - net.clearAllowedSenders (net.pAllowedSenders_TCP); - net.pAllowedSenders_TCP = NULL; - } - if (net.pAllowedSenders_GSS != NULL) { - net.clearAllowedSenders (net.pAllowedSenders_GSS); - net.pAllowedSenders_GSS = NULL; - } + net.clearAllowedSenders((uchar*)"TCP"); + net.clearAllowedSenders((uchar*)"GSS"); ENDafterRun --- plugins/imrelp/imrelp.c +++ plugins/imrelp/imrelp.c 2008/12/15 11:20:57 @@ -64,7 +64,7 @@ isPermittedHost(struct sockaddr *addr, char *fromHostFQDN, void __attribute__((unused)) *pUsrSrv, void __attribute__((unused)) *pUsrSess) { - return net.isAllowedSender(net.pAllowedSenders_TCP, addr, fromHostFQDN); + return net.isAllowedSender((uchar*) "TCP", addr, fromHostFQDN); } #endif // #if 0 @@ -135,10 +135,7 @@ CODESTARTafterRun /* do cleanup here */ #if 0 - if(net.pAllowedSenders_TCP != NULL) { - net.clearAllowedSenders(net.pAllowedSenders_TCP); - net.pAllowedSenders_TCP = NULL; - } + net.clearAllowedSenders((uchar*)"TCP"); #endif ENDafterRun --- plugins/imtcp/imtcp.c +++ plugins/imtcp/imtcp.c 2008/12/15 12:08:36 @@ -66,7 +66,7 @@ isPermittedHost(struct sockaddr *addr, char *fromHostFQDN, void __attribute__((unused)) *pUsrSrv, void __attribute__((unused)) *pUsrSess) { - return net.isAllowedSender(net.pAllowedSenders_TCP, addr, fromHostFQDN); + return net.isAllowedSender((uchar*)"TCP", addr, fromHostFQDN); } @@ -158,10 +158,7 @@ BEGINafterRun CODESTARTafterRun /* do cleanup here */ - if(net.pAllowedSenders_TCP != NULL) { - net.clearAllowedSenders(net.pAllowedSenders_TCP); - net.pAllowedSenders_TCP = NULL; - } + net.clearAllowedSenders((uchar*)"TCP"); ENDafterRun --- plugins/imudp/imudp.c +++ plugins/imudp/imudp.c 2008/12/15 12:09:02 @@ -189,7 +189,7 @@ * configured to do this). * rgerhards, 2005-09-26 */ - if(net.isAllowedSender(net.pAllowedSenders_UDP, + if(net.isAllowedSender((uchar*)"UDP", (struct sockaddr *)&frominet, (char*)fromHostFQDN)) { parseAndSubmitMessage((char*)fromHost, (char*) pRcvBuf, l, MSG_PARSE_HOSTNAME, NOFLAG, eFLOWCTL_NO_DELAY); @@ -238,10 +238,7 @@ BEGINafterRun CODESTARTafterRun /* do cleanup here */ - if (net.pAllowedSenders_UDP != NULL) { - net.clearAllowedSenders (net.pAllowedSenders_UDP); - net.pAllowedSenders_UDP = NULL; - } + net.clearAllowedSenders((uchar*)"UDP"); if(udpLstnSocks != NULL) net.closeUDPListenSockets(udpLstnSocks); if(pRcvBuf != NULL) --- rsyslog.h +++ rsyslog.h 2008/12/15 12:13:12 @@ -172,6 +172,7 @@ RS_RET_MAIL_NO_TO = -2071, /**< recipient for mail destination is missing */ RS_RET_MAIL_NO_FROM = -2072, /**< sender for mail destination is missing */ RS_RET_INVALID_PRI = -2073, /**< PRI value is invalid */ + RS_RET_CODE_ERR = -2109, /**< program code (internal) error */ /* RainerScript error messages (range 1000.. 1999) */ RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */ ++++++ rsyslog-3.18.3-imudp-discard-msg-DoS.bnc457273.dif ++++++ --- plugins/imudp/imudp.c +++ plugins/imudp/imudp.c 2008/12/15 13:43:31 @@ -49,6 +49,10 @@ DEFobjCurrIf(errmsg) DEFobjCurrIf(net) +static time_t ttLastDiscard = 0; /* timestamp when a message from a non-permitted sender was last discarded + * This shall prevent remote DoS when the "discard on disallowed sender" + * message is configured to be logged on occurance of such a case. + */ static int *udpLstnSocks = NULL; /* Internet datagram sockets, first element is nbr of elements * read-only after init(), but beware of restart! */ static uchar *pszBindAddr = NULL; /* IP to bind socket to */ @@ -196,8 +200,15 @@ } else { dbgprintf("%s is not an allowed sender\n", (char*)fromHostFQDN); if(option_DisallowWarning) { - errmsg.LogError(NO_ERRCODE, "UDP message from disallowed sender %s discarded", + time_t tt; + + time(&tt); + if(tt > ttLastDiscard + 60) { + ttLastDiscard = tt; + errmsg.LogError(NO_ERRCODE, + "UDP message from disallowed sender %s discarded", (char*)fromHost); + } } } } ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org