1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
From ebd06c37d4311db9851f4d3fdd023de3dd590de0 Mon Sep 17 00:00:00 2001
From: Filipe Brandenburger <filbranden@google.com>
Date: Thu, 10 Jan 2019 14:53:33 -0800
Subject: [PATCH] journal: fix out-of-bounds read CVE-2018-16866
The original code didn't account for the fact that strchr() would match on the
'\0' character, making it read past the end of the buffer if no non-whitespace
character was present.
This bug was introduced in commit ec5ff4445cca6a which was first released in
systemd v221 and later fixed in commit 8595102d3ddde6 which was released in
v240, so versions in the range [v221, v240) are affected.
Patch backported from systemd-stable at f005e73d3723d62a39be661931fcb6347119b52b
also includes a change from systemd master which removes a heap buffer overflow
a6aadf4ae0bae185dc4c414d492a4a781c80ffe5.
CVE: CVE-2018-16866
Upstream-Status: Backport
Signed-off-by: Marcus Cooper <marcusc@axis.com>
---
src/journal/journald-syslog.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
index 9dea116722..809b318c06 100644
--- a/src/journal/journald-syslog.c
+++ b/src/journal/journald-syslog.c
@@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
e = l;
l--;
- if (p[l-1] == ']') {
+ if (l > 0 && p[l-1] == ']') {
size_t k = l-1;
for (;;) {
@@ -219,7 +219,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
if (t)
*identifier = t;
- if (strchr(WHITESPACE, p[e]))
+ if (p[e] != '\0' && strchr(WHITESPACE, p[e]))
e++;
*buf = p + e;
return e;
--
2.11.0
|
