From 2eaa3fd064097eb221b56d5df0e7136ba705a0cd Mon Sep 17 00:00:00 2001 From: Andrii Davydenko Date: Wed, 14 Dec 2022 12:08:42 +0200 Subject: CVE Packages Update Move libfastjson to the rsyslog directory rsyslog 8.2002.0 -> 8.2206.0 add ntp4.2.8 recipe with fixed CVEs update cryptsetup to 2.4.3 fix libxml2 CVE-2016-3709 curl 7.75.0 -> 7.86.0 strongswan 5.8.4 -> 5.9.8 libmodbus 3.1.6 -> 3.1.7 libesmtp 1.0.6 -> 1.1.0 cifs-utils 6.1 -> 7.0 update libtirpc to version 1.3.3 update rsync to version 3.2.5 Add zlib 1.2.13 upgrade gnutls to 3.7.8 upgrade openssh to 8.9p1 Add cmake 3.24.2 and cmake-native 3.24.2 to avoid loop dependecies building expat Add expat 2.5.0 to fix CVE-2022-40674 and CVE-2022-43680 openvpn 2.4.9 -> 2.4.12 hostapd 2.9 -> 2.10 [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Openssh 8.9p1 no longer needed, because all necessary CVE fixes, backports and whitelists are present for current Openssh 8.4p1. There are no new CVE's in report. [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Backported CVE patches for python3 component. Need to remove after upgrading Yocto to version more than 3.1.21. [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Backported CVE patch for sudo component. Added 2 CVE's to whitelist for OpenVPN component. --- .../libfastjson/libfastjson/CVE-2020-12762.patch | 80 -------- .../libfastjson/libfastjson_%.bbappend | 5 - recipes-extended/libtirpc/libtirpc_1.3.3.bb | 28 +++ .../rsyslog/libfastjson/CVE-2020-12762.patch | 80 ++++++++ recipes-extended/rsyslog/libfastjson_%.bbappend | 5 + recipes-extended/rsyslog/libfastjson_0.99.9.bb | 15 ++ recipes-extended/rsyslog/librelp_1.10.0.bb | 18 ++ .../rsyslog/rsyslog/0001-Include-sys-time-h.patch | 32 ++++ .../0001-tests-disable-the-check-for-inotify.patch | 46 +++++ recipes-extended/rsyslog/rsyslog/initscript | 118 ++++++++++++ recipes-extended/rsyslog/rsyslog/rsyslog.conf | 91 +++++++++ recipes-extended/rsyslog/rsyslog/rsyslog.logrotate | 39 ++++ recipes-extended/rsyslog/rsyslog/rsyslog.service | 21 +++ recipes-extended/rsyslog/rsyslog/run-ptest | 12 ++ .../rsyslog/use-pkgconfig-to-check-libgcrypt.patch | 43 +++++ recipes-extended/rsyslog/rsyslog_8.2206.0.bb | 204 +++++++++++++++++++++ recipes-extended/sudo/files/CVE-2022-43995.patch | 59 ++++++ recipes-extended/sudo/sudo_1.9.5p2.bb | 1 + 18 files changed, 812 insertions(+), 85 deletions(-) delete mode 100644 recipes-extended/libfastjson/libfastjson/CVE-2020-12762.patch delete mode 100644 recipes-extended/libfastjson/libfastjson_%.bbappend create mode 100644 recipes-extended/libtirpc/libtirpc_1.3.3.bb create mode 100644 recipes-extended/rsyslog/libfastjson/CVE-2020-12762.patch create mode 100644 recipes-extended/rsyslog/libfastjson_%.bbappend create mode 100644 recipes-extended/rsyslog/libfastjson_0.99.9.bb create mode 100644 recipes-extended/rsyslog/librelp_1.10.0.bb create mode 100644 recipes-extended/rsyslog/rsyslog/0001-Include-sys-time-h.patch create mode 100644 recipes-extended/rsyslog/rsyslog/0001-tests-disable-the-check-for-inotify.patch create mode 100644 recipes-extended/rsyslog/rsyslog/initscript create mode 100644 recipes-extended/rsyslog/rsyslog/rsyslog.conf create mode 100644 recipes-extended/rsyslog/rsyslog/rsyslog.logrotate create mode 100644 recipes-extended/rsyslog/rsyslog/rsyslog.service create mode 100644 recipes-extended/rsyslog/rsyslog/run-ptest create mode 100644 recipes-extended/rsyslog/rsyslog/use-pkgconfig-to-check-libgcrypt.patch create mode 100644 recipes-extended/rsyslog/rsyslog_8.2206.0.bb create mode 100644 recipes-extended/sudo/files/CVE-2022-43995.patch (limited to 'recipes-extended') diff --git a/recipes-extended/libfastjson/libfastjson/CVE-2020-12762.patch b/recipes-extended/libfastjson/libfastjson/CVE-2020-12762.patch deleted file mode 100644 index 84e8206..0000000 --- a/recipes-extended/libfastjson/libfastjson/CVE-2020-12762.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 73d5726b116e89d1e756419ceea5ed071d211642 Mon Sep 17 00:00:00 2001 -From: "mykola.salomatin" -Date: Tue, 2 Mar 2021 13:22:21 +0200 -Subject: [PATCH] Fix integer overflows - -This commit is a backport of the following commit in json-c: - * d07b91014986900a3a75f306d302e13e005e9d67 - -In component json-c, several files were affected: - * linkhash.c - * arraylist.c - * printbuf.c - -In the current version of the libfastjson (0.99.8): - * linkhash.c was removed, - * arraylist.c doesn't have a necessary function for patching, - * printbuf.c is patched manually in current patch. - ---- -CVE: CVE-2020-12762 -Signed-off-by: Mykola Salomatin - - printbuf.c | 20 +++++++++++++++++--- - 1 file changed, 17 insertions(+), 3 deletions(-) - -diff --git a/printbuf.c b/printbuf.c -index cc0f0d2..97e3ddd 100644 ---- a/printbuf.c -+++ b/printbuf.c -@@ -13,6 +13,7 @@ - - #include "config.h" - -+#include - #include - #include - #include -@@ -68,9 +69,16 @@ static int printbuf_extend(struct printbuf *p, int min_size) - if (p->size >= min_size) - return 0; - -- new_size = p->size * 2; -- if (new_size < min_size + 8) -- new_size = min_size + 8; -+ /* Prevent signed integer overflows with large buffers. */ -+ if (min_size > INT_MAX - 8) -+ return -1; -+ if (p->size > INT_MAX / 2) -+ new_size = min_size + 8; -+ else { -+ new_size = p->size * 2; -+ if (new_size < min_size + 8) -+ new_size = min_size + 8; -+ } - #ifdef PRINTBUF_DEBUG - MC_DEBUG("printbuf_memappend: realloc " - "bpos=%d min_size=%d old_size=%d new_size=%d\n", -@@ -85,6 +93,9 @@ static int printbuf_extend(struct printbuf *p, int min_size) - - int printbuf_memappend(struct printbuf *p, const char *buf, int size) - { -+ /* Prevent signed integer overflows with large buffers. */ -+ if (size > INT_MAX - p->bpos - 1) -+ return -1; - if (p->size <= p->bpos + size + 1) { - if (printbuf_extend(p, p->bpos + size + 1) < 0) - return -1; -@@ -136,6 +147,9 @@ int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len) - - if (offset == -1) - offset = pb->bpos; -+ /* Prevent signed integer overflows with large buffers. */ -+ if (len > INT_MAX - offset) -+ return -1; - size_needed = offset + len; - if (pb->size < size_needed) - { --- -2.7.4 - diff --git a/recipes-extended/libfastjson/libfastjson_%.bbappend b/recipes-extended/libfastjson/libfastjson_%.bbappend deleted file mode 100644 index 103c92e..0000000 --- a/recipes-extended/libfastjson/libfastjson_%.bbappend +++ /dev/null @@ -1,5 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -PR.=".mlinux1" - -SRC_URI += "file://CVE-2020-12762.patch" diff --git a/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/recipes-extended/libtirpc/libtirpc_1.3.3.bb new file mode 100644 index 0000000..8c6c207 --- /dev/null +++ b/recipes-extended/libtirpc/libtirpc_1.3.3.bb @@ -0,0 +1,28 @@ +SUMMARY = "Transport-Independent RPC library" +DESCRIPTION = "Libtirpc is a port of Suns Transport-Independent RPC library to Linux" +SECTION = "libs/network" +HOMEPAGE = "http://sourceforge.net/projects/libtirpc/" +BUGTRACKER = "http://sourceforge.net/tracker/?group_id=183075&atid=903784" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://COPYING;md5=f835cce8852481e4b2bbbdd23b5e47f3 \ + file://src/netname.c;beginline=1;endline=27;md5=f8a8cd2cb25ac5aa16767364fb0e3c24" + +PROVIDES = "virtual/librpc" + +SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.bz2" +UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/" +UPSTREAM_CHECK_REGEX = "(?P\d+(\.\d+)+)/" +SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3" + +# Was fixed in 1.3.3rc1 so not present in 1.3.3 +CVE_CHECK_IGNORE += "CVE-2021-46828" + +inherit autotools pkgconfig + +EXTRA_OECONF = "--disable-gssapi" + +do_install:append() { + chown root:root ${D}${sysconfdir}/netconfig +} + +BBCLASSEXTEND = "native nativesdk" diff --git a/recipes-extended/rsyslog/libfastjson/CVE-2020-12762.patch b/recipes-extended/rsyslog/libfastjson/CVE-2020-12762.patch new file mode 100644 index 0000000..84e8206 --- /dev/null +++ b/recipes-extended/rsyslog/libfastjson/CVE-2020-12762.patch @@ -0,0 +1,80 @@ +From 73d5726b116e89d1e756419ceea5ed071d211642 Mon Sep 17 00:00:00 2001 +From: "mykola.salomatin" +Date: Tue, 2 Mar 2021 13:22:21 +0200 +Subject: [PATCH] Fix integer overflows + +This commit is a backport of the following commit in json-c: + * d07b91014986900a3a75f306d302e13e005e9d67 + +In component json-c, several files were affected: + * linkhash.c + * arraylist.c + * printbuf.c + +In the current version of the libfastjson (0.99.8): + * linkhash.c was removed, + * arraylist.c doesn't have a necessary function for patching, + * printbuf.c is patched manually in current patch. + +--- +CVE: CVE-2020-12762 +Signed-off-by: Mykola Salomatin + + printbuf.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/printbuf.c b/printbuf.c +index cc0f0d2..97e3ddd 100644 +--- a/printbuf.c ++++ b/printbuf.c +@@ -13,6 +13,7 @@ + + #include "config.h" + ++#include + #include + #include + #include +@@ -68,9 +69,16 @@ static int printbuf_extend(struct printbuf *p, int min_size) + if (p->size >= min_size) + return 0; + +- new_size = p->size * 2; +- if (new_size < min_size + 8) +- new_size = min_size + 8; ++ /* Prevent signed integer overflows with large buffers. */ ++ if (min_size > INT_MAX - 8) ++ return -1; ++ if (p->size > INT_MAX / 2) ++ new_size = min_size + 8; ++ else { ++ new_size = p->size * 2; ++ if (new_size < min_size + 8) ++ new_size = min_size + 8; ++ } + #ifdef PRINTBUF_DEBUG + MC_DEBUG("printbuf_memappend: realloc " + "bpos=%d min_size=%d old_size=%d new_size=%d\n", +@@ -85,6 +93,9 @@ static int printbuf_extend(struct printbuf *p, int min_size) + + int printbuf_memappend(struct printbuf *p, const char *buf, int size) + { ++ /* Prevent signed integer overflows with large buffers. */ ++ if (size > INT_MAX - p->bpos - 1) ++ return -1; + if (p->size <= p->bpos + size + 1) { + if (printbuf_extend(p, p->bpos + size + 1) < 0) + return -1; +@@ -136,6 +147,9 @@ int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len) + + if (offset == -1) + offset = pb->bpos; ++ /* Prevent signed integer overflows with large buffers. */ ++ if (len > INT_MAX - offset) ++ return -1; + size_needed = offset + len; + if (pb->size < size_needed) + { +-- +2.7.4 + diff --git a/recipes-extended/rsyslog/libfastjson_%.bbappend b/recipes-extended/rsyslog/libfastjson_%.bbappend new file mode 100644 index 0000000..103c92e --- /dev/null +++ b/recipes-extended/rsyslog/libfastjson_%.bbappend @@ -0,0 +1,5 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +PR.=".mlinux1" + +SRC_URI += "file://CVE-2020-12762.patch" diff --git a/recipes-extended/rsyslog/libfastjson_0.99.9.bb b/recipes-extended/rsyslog/libfastjson_0.99.9.bb new file mode 100644 index 0000000..24ad172 --- /dev/null +++ b/recipes-extended/rsyslog/libfastjson_0.99.9.bb @@ -0,0 +1,15 @@ +SUMMARY = "A fork of json-c library" +HOMEPAGE = "https://github.com/rsyslog/libfastjson" + +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://COPYING;md5=a958bb07122368f3e1d9b2efe07d231f" + +DEPENDS = "" + +SRC_URI = "git://github.com/rsyslog/libfastjson.git;protocol=https;branch=master" + +SRCREV = "0293afb3913f760c449348551cca4d2df59c1a00" + +S = "${WORKDIR}/git" + +inherit autotools diff --git a/recipes-extended/rsyslog/librelp_1.10.0.bb b/recipes-extended/rsyslog/librelp_1.10.0.bb new file mode 100644 index 0000000..acdbbb7 --- /dev/null +++ b/recipes-extended/rsyslog/librelp_1.10.0.bb @@ -0,0 +1,18 @@ +SUMMARY = "A reliable logging library" +HOMEPAGE = "https://github.com/rsyslog/librelp" + +LICENSE = "GPL-3.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=1fb9c10ed9fd6826757615455ca893a9" + +DEPENDS = "gmp nettle libidn zlib gnutls openssl" + +SRC_URI = "git://github.com/rsyslog/librelp.git;protocol=https;branch=stable \ +" + +SRCREV = "9e749453d51d602d8159717f8a7c27971dcb4c6c" + +S = "${WORKDIR}/git" + +inherit autotools pkgconfig + +CPPFLAGS += "-Wno-error" diff --git a/recipes-extended/rsyslog/rsyslog/0001-Include-sys-time-h.patch b/recipes-extended/rsyslog/rsyslog/0001-Include-sys-time-h.patch new file mode 100644 index 0000000..6ce8b7a --- /dev/null +++ b/recipes-extended/rsyslog/rsyslog/0001-Include-sys-time-h.patch @@ -0,0 +1,32 @@ +From 7baf35b88d742032a2dc456c396843e17e866f8e Mon Sep 17 00:00:00 2001 +From: Ming Liu +Date: Wed, 27 Jun 2018 14:04:57 +0800 +Subject: [PATCH] Include sys/time.h + +struct timeval is defined in sys/time.h with a musl libc. + +Upstream-Status: Inappropriate [musl libc specific] + +Signed-off-by: Ming Liu +Signed-off-by: Changqing Li +--- + tests/msleep.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/tests/msleep.c b/tests/msleep.c +index 98dbece..96f6950 100644 +--- a/tests/msleep.c ++++ b/tests/msleep.c +@@ -26,11 +26,7 @@ + #include "config.h" + #include + #include +-#if defined(__FreeBSD__) + #include +-#else +-#include +-#endif + #if defined(HAVE_SYS_SELECT_H) + #include + #endif +2.7.4 diff --git a/recipes-extended/rsyslog/rsyslog/0001-tests-disable-the-check-for-inotify.patch b/recipes-extended/rsyslog/rsyslog/0001-tests-disable-the-check-for-inotify.patch new file mode 100644 index 0000000..552172d --- /dev/null +++ b/recipes-extended/rsyslog/rsyslog/0001-tests-disable-the-check-for-inotify.patch @@ -0,0 +1,46 @@ +From 194e199ce08acc2192f6a63420ff24d9064666e5 Mon Sep 17 00:00:00 2001 +From: Yi Fan Yu +Date: Sat, 27 Mar 2021 19:18:25 -0400 +Subject: [PATCH] tests: disable the check for inotify + +We don't need to check inotify.h. +Assume it is present since it is part of the linux kernel +since 2.6.13 [1]. + +[1](https://kernelnewbies.org/Linux_2_6_13) + +(it would require installing the libc headers otherwise, + for the test to detect /usr/include/sys/inotify.h.) + +Upstream-Status: Inappropriate[OE-specific] + +Signed-off-by: Yi Fan Yu +--- + tests/diag.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/diag.sh b/tests/diag.sh +index 6cd60ea88..7424f48c5 100755 +--- a/tests/diag.sh ++++ b/tests/diag.sh +@@ -2672,7 +2672,7 @@ case $1 in + fi + ;; + 'check-inotify') # Check for inotify/fen support +- if [ -n "$(find /usr/include -name 'inotify.h' -print -quit)" ]; then ++ if true; then + echo [inotify mode] + elif [ -n "$(find /usr/include/sys/ -name 'port.h' -print -quit)" ]; then + grep -qF "PORT_SOURCE_FILE" < /usr/include/sys/port.h +@@ -2687,7 +2687,7 @@ case $1 in + fi + ;; + 'check-inotify-only') # Check for ONLY inotify support +- if [ -n "$(find /usr/include -name 'inotify.h' -print -quit)" ]; then ++ if true; then + echo [inotify mode] + else + echo [inotify not supported, skipping...] +-- +2.29.2 + diff --git a/recipes-extended/rsyslog/rsyslog/initscript b/recipes-extended/rsyslog/rsyslog/initscript new file mode 100644 index 0000000..7a8f8f9 --- /dev/null +++ b/recipes-extended/rsyslog/rsyslog/initscript @@ -0,0 +1,118 @@ +#! /bin/sh +# +# This is an init script for openembedded +# Copy it to /etc/init.d/rsyslog and type +# > update-rc.d rsyslog defaults 5 +# + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +NAME=rsyslog +RSYSLOGD=rsyslogd +RSYSLOGD_BIN=/usr/sbin/rsyslogd +RSYSLOGD_OPTIONS="" +RSYSLOGD_PIDFILE=/var/run/rsyslogd.pid +SCRIPTNAME=/etc/init.d/$NAME +# Exit if the package is not installed +[ -x "$RSYSLOGD_BIN" ] || exit 0 +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME +# +# Function that starts the daemon/service +# +do_start() +{ + DAEMON=$1 + DAEMON_ARGS=$2 + PIDFILE=$3 + # Return + # 0 if daemon has been started + # 1 if daemon could not be started + # if daemon had already been started, start-stop-daemon will return 1 + # so add -o/--oknodo(if nothing is done, exit 0) + start-stop-daemon -S --quiet --pidfile $PIDFILE --exec $DAEMON \ + --oknodo -- $DAEMON_ARGS || return 1 +} +# +# Function that stops the daemon/service +# +do_stop() +{ + NAME=$1 + PIDFILE=$2 + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + # QUIT/TERM/INT should work here, but they don't ????? + start-stop-daemon -K --quiet --signal KILL --pidfile $PIDFILE --name $NAME + RETVAL="$?" + rm -f $PIDFILE + return "$RETVAL" +} +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + NAME=$1 + PIDFILE=$2 + start-stop-daemon -K --signal HUP --quiet --pidfile $PIDFILE --name $NAME + return 0 +} + +do_status() { + NAME=$1 + PIDFILE=$2 + # -t: test only but not stop + start-stop-daemon -K -t --quiet --pidfile $PIDFILE --name $NAME + # exit with status 0 if process is found + if [ "$?" = "0" ]; then + return 0 + else + return 1 + fi +} + +case "$1" in + start) + echo -n "starting $RSYSLOGD ... " + do_start "$RSYSLOGD_BIN" "$RSYSLOGD_OPTIONS" "$RSYSLOGD_PIDFILE" + case "$?" in + 0) echo "done" ;; + 1) echo "failed" ;; + esac + ;; + stop) + echo -n "stopping $RSYSLOGD ... " + do_stop "$RSYSLOGD" "$RSYSLOGD_PIDFILE" + case "$?" in + 0|1) echo "done" ;; + 2) echo "failed" ;; + esac + ;; + reload|force-reload) + echo -n "reloading $RSYSLOGD ... " + do_reload "$RSYSLOGD" "$RSYSLOGD_PIDFILE" + echo "done" + ;; + restart) + $0 stop + $0 start + ;; + status) + echo -n "status $RSYSLOGD ... " + do_status "$RSYSLOGD" "$RSYSLOGD_PIDFILE" + if [ "$?" = "0" ]; then + echo "running" + exit 0 + else + echo "stopped" + exit 1 + fi + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload}" >&2 + exit 3 + ;; +esac +exit 0 diff --git a/recipes-extended/rsyslog/rsyslog/rsyslog.conf b/recipes-extended/rsyslog/rsyslog/rsyslog.conf new file mode 100644 index 0000000..dbfefb7 --- /dev/null +++ b/recipes-extended/rsyslog/rsyslog/rsyslog.conf @@ -0,0 +1,91 @@ +# if you experience problems, check +# http://www.rsyslog.com/troubleshoot for assistance + +# rsyslog v3: load input modules +# If you do not load inputs, nothing happens! +# You may need to set the module load path if modules are not found. +# +# Ported from debian's sysklogd.conf + +$ModLoad immark # provides --MARK-- message capability +$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) +$ModLoad imklog # kernel logging (formerly provided by rklogd) + +# +# Set the default permissions +# +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +auth,authpriv.* /var/log/auth.log +*.*;auth,authpriv.none -/var/log/syslog +cron.* /var/log/cron.log +daemon.* -/var/log/daemon.log +kern.* -/var/log/kern.log +lpr.* -/var/log/lpr.log +mail.* -/var/log/mail.log +user.* -/var/log/user.log + +# +# Logging for the mail system. Split it up so that +# it is easy to write scripts to parse these files. +# +mail.info -/var/log/mail.info +mail.warn -/var/log/mail.warn +mail.err /var/log/mail.err + +# Logging for INN news system +# +news.crit /var/log/news.crit +news.err /var/log/news.err +news.notice -/var/log/news.notice + +# +# Some `catch-all' logfiles. +# +*.=debug;\ + auth,authpriv.none;\ + news.none;mail.none -/var/log/debug +*.=info;*.=notice;*.=warn;\ + auth,authpriv.none;\ + cron,daemon.none;\ + mail,news.none -/var/log/messages + +# +# Emergencies are sent to everybody logged in. +# +*.emerg :omusrmsg:* + +# Save boot messages also to boot.log +local7.* /var/log/boot.log + +# Remote Logging (we use TCP for reliable delivery) +# An on-disk queue is created for this action. If the remote host is +# down, messages are spooled to disk and sent when it is up again. +#$WorkDirectory /var/spool/rsyslog # where to place spool files +#$ActionQueueFileName uniqName # unique name prefix for spool files +$ActionQueueMaxDiskSpace 10m # 1gb space limit (use as much as possible) +#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown +#$ActionQueueType LinkedList # run asynchronously +#$ActionResumeRetryCount -1 # infinite retries if host is down +# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional +#*.* @@remote-host:514 + + +# ######### Receiving Messages from Remote Hosts ########## +# TCP Syslog Server: +# provides TCP syslog reception and GSS-API (if compiled to support it) +#$ModLoad imtcp.so # load module +#$InputTCPServerRun 514 # start up TCP listener at port 514 + +# UDP Syslog Server: +#$ModLoad imudp.so # provides UDP syslog reception +#$UDPServerRun 514 # start a UDP syslog server at standard port 514 + +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf diff --git a/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate b/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate new file mode 100644 index 0000000..5f8568f --- /dev/null +++ b/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate @@ -0,0 +1,39 @@ +# /etc/logrotate.d/rsyslog - Ported from Debian + +/var/log/syslog +{ + rotate 7 + daily + missingok + notifempty + delaycompress + compress + postrotate + @BINDIR@/pkill -HUP rsyslogd 2> /dev/null || true + endscript +} + +/var/log/mail.info +/var/log/mail.warn +/var/log/mail.err +/var/log/mail.log +/var/log/daemon.log +/var/log/kern.log +/var/log/auth.log +/var/log/user.log +/var/log/lpr.log +/var/log/cron.log +/var/log/debug +/var/log/messages +{ + rotate 4 + weekly + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + @BINDIR@/pkill -HUP rsyslogd 2> /dev/null || true + endscript +} diff --git a/recipes-extended/rsyslog/rsyslog/rsyslog.service b/recipes-extended/rsyslog/rsyslog/rsyslog.service new file mode 100644 index 0000000..0aacff3 --- /dev/null +++ b/recipes-extended/rsyslog/rsyslog/rsyslog.service @@ -0,0 +1,21 @@ +[Unit] +Description=System Logging Service +Requires=syslog.socket +Wants=network.target network-online.target +After=network.target network-online.target +Documentation=man:rsyslogd(8) +Documentation=http://www.rsyslog.com/doc/ + +[Service] +Type=notify +ExecStart=@sbindir@/rsyslogd -n -iNONE +StandardOutput=null +Restart=on-failure + +# Increase the default a bit in order to allow many simultaneous +# files to be monitored, we might need a lot of fds. +LimitNOFILE=16384 + +[Install] +WantedBy=multi-user.target +Alias=syslog.service diff --git a/recipes-extended/rsyslog/rsyslog/run-ptest b/recipes-extended/rsyslog/rsyslog/run-ptest new file mode 100644 index 0000000..efa9ba3 --- /dev/null +++ b/recipes-extended/rsyslog/rsyslog/run-ptest @@ -0,0 +1,12 @@ +#!/bin/sh +# +set -e +set -o pipefail + +SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )" +cd ${SCRIPTPATH} +useradd tester || echo "user already exists" +ln -sf /usr/sbin/logrotate /usr/bin/logrotate +su tester -c "make -C tests -k check-TESTS" +userdel tester +rm -f /usr/bin/logrotate diff --git a/recipes-extended/rsyslog/rsyslog/use-pkgconfig-to-check-libgcrypt.patch b/recipes-extended/rsyslog/rsyslog/use-pkgconfig-to-check-libgcrypt.patch new file mode 100644 index 0000000..0352587 --- /dev/null +++ b/recipes-extended/rsyslog/rsyslog/use-pkgconfig-to-check-libgcrypt.patch @@ -0,0 +1,43 @@ +From d0852006bf3d305e8984b85b41997d43d4476937 Mon Sep 17 00:00:00 2001 +From: Roy Li +Date: Wed, 18 Jun 2014 13:46:52 +0800 +Subject: [PATCH] use pkgconfig to check libgcrypt + +Upstream-Status: Inappropriate [configuration] + +libgcrypt does no longer provide libgcrypt-config, and provide +*.pc, so we should use pkgconfig to check + +Signed-off-by: Roy Li +Signed-off-by: Wenzong Fan + +--- + configure.ac | 15 +-------------- + 1 file changed, 1 insertion(+), 14 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 62178c3..b56c9c7 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -889,20 +889,7 @@ AC_ARG_ENABLE(libgcrypt, + [enable_libgcrypt=yes] + ) + if test "x$enable_libgcrypt" = "xyes"; then +- AC_PATH_PROG([LIBGCRYPT_CONFIG],[libgcrypt-config],[no]) +- if test "x${LIBGCRYPT_CONFIG}" = "xno"; then +- AC_MSG_FAILURE([libgcrypt-config not found in PATH]) +- fi +- AC_CHECK_LIB( +- [gcrypt], +- [gcry_cipher_open], +- [LIBGCRYPT_CFLAGS="`${LIBGCRYPT_CONFIG} --cflags`" +- LIBGCRYPT_LIBS="`${LIBGCRYPT_CONFIG} --libs`" +- ], +- [AC_MSG_FAILURE([libgcrypt is missing])], +- [`${LIBGCRYPT_CONFIG} --libs --cflags`] +- ) +- AC_DEFINE([ENABLE_LIBGCRYPT], [1], [Indicator that LIBGCRYPT is present]) ++ PKG_CHECK_MODULES(LIBGCRYPT, libgcrypt) + fi + AM_CONDITIONAL(ENABLE_LIBGCRYPT, test x$enable_libgcrypt = xyes) + AC_SUBST(LIBGCRYPT_CFLAGS) diff --git a/recipes-extended/rsyslog/rsyslog_8.2206.0.bb b/recipes-extended/rsyslog/rsyslog_8.2206.0.bb new file mode 100644 index 0000000..f7604f8 --- /dev/null +++ b/recipes-extended/rsyslog/rsyslog_8.2206.0.bb @@ -0,0 +1,204 @@ +SUMMARY = "Rsyslog is an enhanced multi-threaded syslogd" +DESCRIPTION = "\ +Rsyslog is an enhanced syslogd supporting, among others, MySQL,\ + PostgreSQL, failover log destinations, syslog/tcp, fine grain\ + output format control, high precision timestamps, queued operations\ + and the ability to filter on any message part. It is quite\ + compatible to stock sysklogd and can be used as a drop-in replacement.\ + Its advanced features make it suitable for enterprise-class,\ + encryption protected syslog relay chains while at the same time being\ + very easy to setup for the novice user." + +DEPENDS = "zlib libestr libfastjson bison-native flex-native liblogging" +HOMEPAGE = "http://www.rsyslog.com/" +LICENSE = "GPL-3.0+ & LGPL-3.0+ & Apache-2.0" +LIC_FILES_CHKSUM = "file://COPYING;md5=51d9635e646fb75e1b74c074f788e973 \ + file://COPYING.LESSER;md5=cb7903f1e5c39ae838209e130dca270a \ + file://COPYING.ASL20;md5=052f8a09206615ab07326ff8ce2d9d32\ +" + +SRC_URI = "http://www.rsyslog.com/download/files/download/rsyslog/${BPN}-${PV}.tar.gz \ + file://initscript \ + file://rsyslog.conf \ + file://rsyslog.logrotate \ + file://rsyslog.service \ + file://use-pkgconfig-to-check-libgcrypt.patch \ + file://run-ptest \ + file://0001-tests-disable-the-check-for-inotify.patch \ +" + +SRC_URI_append_libc-musl = " \ + file://0001-Include-sys-time-h.patch \ +" + +SRC_URI[sha256sum] = "a1377218b26c0767a7a3f67d166d5338af7c24b455d35ec99974e18e6845ba27" + +UPSTREAM_CHECK_URI = "https://github.com/rsyslog/rsyslog/releases" +UPSTREAM_CHECK_REGEX = "(?P\d+(\.\d+)+)" + +inherit autotools pkgconfig systemd update-rc.d ptest + +EXTRA_OECONF += "--disable-generate-man-pages ap_cv_atomic_builtins=yes" +EXTRA_OECONF += "--enable-imfile-tests" +EXTRA_OECONF_remove_mipsarch = "ap_cv_atomic_builtins=yes" +EXTRA_OECONF_remove_powerpc = "ap_cv_atomic_builtins=yes" +EXTRA_OECONF_remove_riscv32 = "ap_cv_atomic_builtins=yes" + +# first line is default yes in configure +PACKAGECONFIG ??= " \ + rsyslogd rsyslogrt klog inet regexp uuid libgcrypt \ + fmhttp imdiag gnutls imfile \ + ${@bb.utils.filter('DISTRO_FEATURES', 'snmp systemd', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'testbench relp ${VALGRIND}', '', d)} \ +" + +# default yes in configure +PACKAGECONFIG[relp] = "--enable-relp,--disable-relp,librelp," +PACKAGECONFIG[rsyslogd] = "--enable-rsyslogd,--disable-rsyslogd,," +PACKAGECONFIG[rsyslogrt] = "--enable-rsyslogrt,--disable-rsyslogrt,," +PACKAGECONFIG[fmhttp] = "--enable-fmhttp,--disable-fmhttp,curl," +PACKAGECONFIG[inet] = "--enable-inet,--disable-inet,," +PACKAGECONFIG[klog] = "--enable-klog,--disable-klog,," +PACKAGECONFIG[regexp] = "--enable-regexp,--disable-regexp,," +PACKAGECONFIG[uuid] = "--enable-uuid,--disable-uuid,util-linux," +PACKAGECONFIG[libgcrypt] = "--enable-libgcrypt,--disable-libgcrypt,libgcrypt," +PACKAGECONFIG[testbench] = "--enable-testbench --enable-omstdout,--disable-testbench --disable-omstdout,," + +# default no in configure +PACKAGECONFIG[debug] = "--enable-debug,--disable-debug,," +PACKAGECONFIG[imdiag] = "--enable-imdiag,--disable-imdiag,," +PACKAGECONFIG[imfile] = "--enable-imfile,--disable-imfile,," +PACKAGECONFIG[snmp] = "--enable-snmp,--disable-snmp,net-snmp," +PACKAGECONFIG[gnutls] = "--enable-gnutls,--disable-gnutls,gnutls," +PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/,--without-systemdsystemunitdir,systemd," +PACKAGECONFIG[imjournal] = "--enable-imjournal,--disable-imjournal," +PACKAGECONFIG[mmjsonparse] = "--enable-mmjsonparse,--disable-mmjsonparse," +PACKAGECONFIG[mysql] = "--enable-mysql,--disable-mysql,mysql5," +PACKAGECONFIG[postgresql] = "--enable-pgsql,--disable-pgsql,postgresql," +PACKAGECONFIG[libdbi] = "--enable-libdbi,--disable-libdbi,libdbi," +PACKAGECONFIG[mail] = "--enable-mail,--disable-mail,," +PACKAGECONFIG[valgrind] = ",--without-valgrind-testbench,valgrind," +PACKAGECONFIG[imhttp] = "--enable-imhttp,--disable-imhttp,civetweb," + + +TESTDIR = "tests" +do_compile_ptest() { + echo 'buildtest-TESTS: $(check_PROGRAMS)' >> ${TESTDIR}/Makefile + oe_runmake -C ${TESTDIR} buildtest-TESTS +} + +do_install_ptest() { + # install the tests + cp -rf ${S}/${TESTDIR} ${D}${PTEST_PATH} + cp -rf ${B}/${TESTDIR} ${D}${PTEST_PATH} + + # give permissions to all users + # some tests need to write to this directory as user 'daemon' + chmod 777 -R ${D}${PTEST_PATH}/tests + + # do NOT need to rebuild Makefile itself + sed -i 's/^Makefile:.*$/Makefile:/' ${D}${PTEST_PATH}/${TESTDIR}/Makefile + # do NOT need to rebuild $(check_PROGRAMS) + sed -i 's/^check-TESTS:.*$/check-TESTS:/' ${D}${PTEST_PATH}/${TESTDIR}/Makefile + + # fix the srcdir, top_srcdir + sed -i 's,^\(srcdir = \).*,\1${PTEST_PATH}/tests,' ${D}${PTEST_PATH}/${TESTDIR}/Makefile + sed -i 's,^\(top_srcdir = \).*,\1${PTEST_PATH}/tests,' ${D}${PTEST_PATH}/${TESTDIR}/Makefile + # fix the abs_top_builddir + sed -i 's,^\(abs_top_builddir = \).*,\1${PTEST_PATH}/,' ${D}${PTEST_PATH}/${TESTDIR}/Makefile + + # install test-driver + install -m 644 ${S}/test-driver ${D}${PTEST_PATH} + + # install necessary links + install -d ${D}${PTEST_PATH}/tools + ln -sf ${sbindir}/rsyslogd ${D}${PTEST_PATH}/tools/rsyslogd + + install -d ${D}${PTEST_PATH}/runtime + install -d ${D}${PTEST_PATH}/runtime/.libs + ( + cd ${D}/${libdir}/rsyslog + allso="*.so" + for i in $allso; do + ln -sf ${libdir}/rsyslog/$i ${D}${PTEST_PATH}/runtime/.libs/$i + done + ) + + # fix the module load path with runtime/.libs + find ${D}${PTEST_PATH}/${TESTDIR} -name "*.conf" -o -name "*.sh" -o -name "*.c" | xargs \ + sed -i -e 's:../plugins/.*/.libs/:../runtime/.libs/:g' + # fix the python3 path for tests/set-envar + sed -i -e s:${HOSTTOOLS_DIR}:${bindir}:g ${D}${PTEST_PATH}/tests/set-envvars +} + +do_install_append() { + install -d "${D}${sysconfdir}/init.d" + install -d "${D}${sysconfdir}/logrotate.d" + install -m 755 ${WORKDIR}/initscript ${D}${sysconfdir}/init.d/syslog + install -m 644 ${WORKDIR}/rsyslog.conf ${D}${sysconfdir}/rsyslog.conf + install -m 644 ${WORKDIR}/rsyslog.logrotate ${D}${sysconfdir}/logrotate.d/logrotate.rsyslog + sed -i -e "s#@BINDIR@#${bindir}#g" ${D}${sysconfdir}/logrotate.d/logrotate.rsyslog + + if ${@bb.utils.contains('PACKAGECONFIG', 'imjournal', 'true', 'false', d)}; then + install -d 0755 ${D}${sysconfdir}/rsyslog.d + echo '$ModLoad imjournal' >> ${D}${sysconfdir}/rsyslog.d/imjournal.conf + fi + if ${@bb.utils.contains('PACKAGECONFIG', 'mmjsonparse', 'true', 'false', d)}; then + install -d 0755 ${D}${sysconfdir}/rsyslog.d + echo '$ModLoad mmjsonparse' >> ${D}${sysconfdir}/rsyslog.d/mmjsonparse.conf + fi + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + install -d ${D}${systemd_system_unitdir} + install -m 644 ${WORKDIR}/rsyslog.service ${D}${systemd_system_unitdir} + sed -i -e "s,@sbindir@,${sbindir},g" ${D}${systemd_system_unitdir}/rsyslog.service + fi +} + +FILES_${PN} += "${bindir}" + +INITSCRIPT_NAME = "syslog" +INITSCRIPT_PARAMS = "defaults" + +CONFFILES_${PN} = "${sysconfdir}/rsyslog.conf" + +RCONFLICTS_${PN} = "busybox-syslog sysklogd syslog-ng" + +RPROVIDES_${PN} += "${PN}-systemd" +RREPLACES_${PN} += "${PN}-systemd" +RCONFLICTS_${PN} += "${PN}-systemd" +SYSTEMD_SERVICE_${PN} = "${BPN}.service" + +RDEPENDS_${PN} += "logrotate" + +# for rsyslog-ptest +VALGRIND = "valgrind" + +# valgrind supports armv7 and above +VALGRIND_armv4 = '' +VALGRIND_armv5 = '' +VALGRIND_armv6 = '' + +# X32 isn't supported by valgrind at this time +VALGRIND_linux-gnux32 = '' +VALGRIND_linux-muslx32 = '' + +# Disable for some MIPS variants +VALGRIND_mipsarchr6 = '' +VALGRIND_linux-gnun32 = '' + +# Disable for powerpc64 with musl +VALGRIND_libc-musl_powerpc64 = '' +VALGRIND_libc-musl_powerpc64le = '' + +# RISC-V support for valgrind is not there yet +VALGRIND_riscv64 = "" +VALGRIND_riscv32 = "" + +# util-linux: logger needs the -d option +RDEPENDS_${PN}-ptest += "\ + make diffutils gzip bash gawk coreutils procps \ + libgcc python3-core python3-io python3-json \ + curl util-linux shadow \ + " + +RRECOMMENDS_${PN}-ptest += "${TCLIBC}-dbg ${VALGRIND}" diff --git a/recipes-extended/sudo/files/CVE-2022-43995.patch b/recipes-extended/sudo/files/CVE-2022-43995.patch new file mode 100644 index 0000000..1336c77 --- /dev/null +++ b/recipes-extended/sudo/files/CVE-2022-43995.patch @@ -0,0 +1,59 @@ +From e1554d7996a59bf69544f3d8dd4ae683027948f9 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Tue, 15 Nov 2022 09:17:18 +0530 +Subject: [PATCH] CVE-2022-43995 + +Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050] +CVE: CVE-2022-43995 +Signed-off-by: Hitendra Prajapati + +Potential heap overflow for passwords < 8 +characters. Starting with sudo 1.8.0 the plaintext password buffer is +dynamically sized so it is not safe to assume that it is at least 9 bytes in +size. +Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz. +--- + plugins/sudoers/auth/passwd.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c +index 03c7a16..76a7824 100644 +--- a/plugins/sudoers/auth/passwd.c ++++ b/plugins/sudoers/auth/passwd.c +@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth) + int + sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) + { +- char sav, *epass; ++ char des_pass[9], *epass; + char *pw_epasswd = auth->data; + size_t pw_len; + int matched = 0; +@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c + + /* + * Truncate to 8 chars if standard DES since not all crypt()'s do this. +- * If this turns out not to be safe we will have to use OS #ifdef's (sigh). + */ +- sav = pass[8]; + pw_len = strlen(pw_epasswd); +- if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) +- pass[8] = '\0'; ++ if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) { ++ strlcpy(des_pass, pass, sizeof(des_pass)); ++ pass = des_pass; ++ } + + /* + * Normal UN*X password check. +@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c + * only compare the first DESLEN characters in that case. + */ + epass = (char *) crypt(pass, pw_epasswd); +- pass[8] = sav; + if (epass != NULL) { + if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN) + matched = !strncmp(pw_epasswd, epass, DESLEN); +-- +2.25.1 + diff --git a/recipes-extended/sudo/sudo_1.9.5p2.bb b/recipes-extended/sudo/sudo_1.9.5p2.bb index a1164e9..e40c058 100644 --- a/recipes-extended/sudo/sudo_1.9.5p2.bb +++ b/recipes-extended/sudo/sudo_1.9.5p2.bb @@ -3,6 +3,7 @@ require sudo.inc SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \ + file://CVE-2022-43995.patch \ " PAM_SRC_URI = "file://sudo.pam" -- cgit v1.2.3