Version in base suite: 8.2102.0-2

Base version: rsyslog_8.2102.0-2
Target version: rsyslog_8.2102.0-2+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/rsyslog/rsyslog_8.2102.0-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/r/rsyslog/rsyslog_8.2102.0-2+deb11u1.dsc

 changelog                                         |    8 +++
 gbp.conf                                          |    2 
 patches/net-bugfix-potential-buffer-overrun.patch |   56 ++++++++++++++++++++++
 patches/series                                    |    1 
 4 files changed, 66 insertions(+), 1 deletion(-)

diff -Nru rsyslog-8.2102.0/debian/changelog rsyslog-8.2102.0/debian/changelog
--- rsyslog-8.2102.0/debian/changelog	2021-02-17 18:04:30.000000000 +0000
+++ rsyslog-8.2102.0/debian/changelog	2022-05-20 21:05:15.000000000 +0000
@@ -1,3 +1,11 @@
+rsyslog (8.2102.0-2+deb11u1) bullseye-security; urgency=medium
+
+  * Fix potential heap buffer overflow in TCP syslog server (receiver)
+    components when octet-counted framing is used
+    (CVE-2022-24903, Closes: #1010619)
+
+ -- Michael Biebl <biebl@debian.org>  Fri, 20 May 2022 23:05:15 +0200
+
 rsyslog (8.2102.0-2) unstable; urgency=medium
 
   * testbench: changed tlscommands for librelp tls tests.
diff -Nru rsyslog-8.2102.0/debian/gbp.conf rsyslog-8.2102.0/debian/gbp.conf
--- rsyslog-8.2102.0/debian/gbp.conf	2021-02-17 18:04:30.000000000 +0000
+++ rsyslog-8.2102.0/debian/gbp.conf	2022-05-20 21:05:15.000000000 +0000
@@ -1,5 +1,5 @@
 [DEFAULT]
 pristine-tar = True
 patch-numbers = False
-debian-branch = debian/master
+debian-branch = debian/bullseye
 upstream-branch = upstream/latest
diff -Nru rsyslog-8.2102.0/debian/patches/net-bugfix-potential-buffer-overrun.patch rsyslog-8.2102.0/debian/patches/net-bugfix-potential-buffer-overrun.patch
--- rsyslog-8.2102.0/debian/patches/net-bugfix-potential-buffer-overrun.patch	1970-01-01 00:00:00.000000000 +0000
+++ rsyslog-8.2102.0/debian/patches/net-bugfix-potential-buffer-overrun.patch	2022-05-20 21:05:15.000000000 +0000
@@ -0,0 +1,56 @@
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Fri, 22 Apr 2022 09:49:46 +0200
+Subject: net bugfix: potential buffer overrun
+
+(cherry picked from commit 89955b0bcb1ff105e1374aad7e0e993faa6a038f)
+---
+ contrib/imhttp/imhttp.c | 4 +++-
+ plugins/imptcp/imptcp.c | 4 +++-
+ runtime/tcps_sess.c     | 4 +++-
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/imhttp/imhttp.c b/contrib/imhttp/imhttp.c
+index 3b21792..25ba6ad 100644
+--- a/contrib/imhttp/imhttp.c
++++ b/contrib/imhttp/imhttp.c
+@@ -435,7 +435,9 @@ processOctetMsgLen(const instanceConf_t *const inst, struct conn_wrkr_s *connWrk
+ 				connWrkr->parseState.iOctetsRemain = connWrkr->parseState.iOctetsRemain * 10 + ch - '0';
+ 			}
+ 			// temporarily save this character into the message buffer
+-			connWrkr->pMsg[connWrkr->iMsg++] = ch;
++			if(connWrkr->iMsg + 1 < s_iMaxLine) {
++				connWrkr->pMsg[connWrkr->iMsg++] = ch;
++			}
+ 		} else {
+ 			const char *remoteAddr = "";
+ 			if (connWrkr->propRemoteAddr) {
+diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c
+index e89971d..45b1ae2 100644
+--- a/plugins/imptcp/imptcp.c
++++ b/plugins/imptcp/imptcp.c
+@@ -1107,7 +1107,9 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,
+ 			if(pThis->iOctetsRemain <= 200000000) {
+ 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ 			}
+-			*(pThis->pMsg + pThis->iMsg++) = c;
++			if(pThis->iMsg < iMaxLine) {
++				*(pThis->pMsg + pThis->iMsg++) = c;
++			}
+ 		} else { /* done with the octet count, so this must be the SP terminator */
+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ 			prop.GetString(pThis->peerName, &propPeerName, &lenPeerName);
+diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c
+index 58528c8..4170688 100644
+--- a/runtime/tcps_sess.c
++++ b/runtime/tcps_sess.c
+@@ -387,7 +387,9 @@ processDataRcvd(tcps_sess_t *pThis,
+ 			if(pThis->iOctetsRemain <= 200000000) {
+ 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ 			}
+-			*(pThis->pMsg + pThis->iMsg++) = c;
++			if(pThis->iMsg < iMaxLine) {
++				*(pThis->pMsg + pThis->iMsg++) = c;
++			}
+ 		} else { /* done with the octet count, so this must be the SP terminator */
+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ 			prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName);
diff -Nru rsyslog-8.2102.0/debian/patches/series rsyslog-8.2102.0/debian/patches/series
--- rsyslog-8.2102.0/debian/patches/series	2021-02-17 18:04:30.000000000 +0000
+++ rsyslog-8.2102.0/debian/patches/series	2022-05-20 21:05:15.000000000 +0000
@@ -1,3 +1,4 @@
 Don-t-create-a-database.patch
 Increase-timeouts-in-imfile-basic-2GB-file-and-imfile-tru.patch
 testbench-changed-tlscommands-for-librelp-tls-tests.patch
+net-bugfix-potential-buffer-overrun.patch