From 5468de3d5d529636d50fd17595adb955f096c7d7 Mon Sep 17 00:00:00 2001 From: zouzhimin Date: Wed, 18 Oct 2023 15:34:03 +0800 Subject: [PATCH] fix CVE-2023-39976 --- ...tial-overflow-with-long-log-messages.patch | 57 +++++++++++++++++++ libqb.spec | 16 ++++-- 2 files changed, 69 insertions(+), 4 deletions(-) create mode 100644 fix-potential-overflow-with-long-log-messages.patch diff --git a/fix-potential-overflow-with-long-log-messages.patch b/fix-potential-overflow-with-long-log-messages.patch new file mode 100644 index 0000000..5c5fd35 --- /dev/null +++ b/fix-potential-overflow-with-long-log-messages.patch @@ -0,0 +1,57 @@ +From 1bbaa929b77113532785c408dd1b41cd0521ffc8 Mon Sep 17 00:00:00 2001 +From: Chrissie Caulfield +Date: Thu, 20 Jul 2023 07:19:01 +0100 +Subject: [PATCH] log: fix potential overflow with long log messages (#490) + +qb_vsnprintf_serialize was called with 'max_size' as the +limiting number for the length of the formatted log +message. But the buffer also needs to contain the +log header (given by 'actual_size'), so we now pass +'t->max_line_length' as the maximum length of the +formatted log message to limit space to the actual +bytes left + +Also added error checks to the blackbox calls at +the end of the test, as these now provide a proper +test that the BB is functioning. Before they were +masking failures. +--- + lib/log_blackbox.c | 4 ++-- + tests/check_log.c | 6 ++++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/lib/log_blackbox.c b/lib/log_blackbox.c +index 3e30504..8519a48 100644 +--- a/lib/log_blackbox.c ++++ b/lib/log_blackbox.c +@@ -110,8 +110,8 @@ _blackbox_vlogger(int32_t target, + chunk += sizeof(uint32_t); + + /* log message */ +- msg_len = qb_vsnprintf_serialize(chunk, max_size, cs->format, ap); +- if (msg_len >= max_size) { ++ msg_len = qb_vsnprintf_serialize(chunk, t->max_line_length, cs->format, ap); ++ if (msg_len >= t->max_line_length) { + chunk = msg_len_pt + sizeof(uint32_t); /* Reset */ + + /* Leave this at QB_LOG_MAX_LEN so as not to overflow the blackbox */ +diff --git a/tests/check_log.c b/tests/check_log.c +index 039a4bb..e5abf40 100644 +--- a/tests/check_log.c ++++ b/tests/check_log.c +@@ -832,8 +832,10 @@ START_TEST(test_log_long_msg) + qb_log(LOG_INFO, "Message %d %d - %s", lpc, lpc%600, buffer); + } + +- qb_log_blackbox_write_to_file("blackbox.dump"); +- qb_log_blackbox_print_from_file("blackbox.dump"); ++ rc = qb_log_blackbox_write_to_file("blackbox.dump"); ++ ck_assert_int_gt(rc, 0); ++ rc = qb_log_blackbox_print_from_file("blackbox.dump"); ++ ck_assert_int_le(rc, 0); + unlink("blackbox.dump"); + qb_log_fini(); + } +-- +2.33.0 + diff --git a/libqb.spec b/libqb.spec index 8f9ac0c..b355ab5 100644 --- a/libqb.spec +++ b/libqb.spec @@ -1,11 +1,11 @@ Name: libqb Version: 2.0.7 -Release: 1 +Release: 2 Summary: Library providing high performance logging, tracing, ipc, and poll License: LGPLv2+ URL: https://github.com/ClusterLabs/libqb Source0: https://github.com/ClusterLabs/libqb/releases/download/v%{version}/%{name}-%{version}.tar.xz - +Patch0: fix-potential-overflow-with-long-log-messages.patch BuildRequires: autoconf automake libtool check-devel doxygen gcc procps pkgconfig(glib-2.0) BuildRequires: git-core # For doxygen2man @@ -16,7 +16,7 @@ architecture, such as logging, tracing, inter-process communication (IPC), and polling. %prep -%setup -q -n %{name}-%{version} +%autosetup -n %{name}-%{version} -p1 %build ./autogen.sh @@ -74,7 +74,15 @@ This package contains a program to create nicely-formatted man pages from Doxyge %{_mandir}/man1/doxygen2man.1.gz %changelog -* Tue Jul 18 2023 zouzhimin - 2.0.7-1 +* Wed Oct 18 2023 zouzhimin - 2.0.7-2 +- Type:cves +- ID:CVE-2023-39976 +- SUG:NA +- DESC:fix CVE-2023-39976 + Community Patch Link: + https://github.com/ClusterLabs/libqb/commit/1bbaa929b77113532785c408dd1b41cd0521ffc8 + +* Tue Aug 15 2023 zouzhimin - 2.0.7-1 - Upgrade to 2.0.7 * Mon Aug 14 2023 liningjie - 2.0.6-2