Version in base suite: 3.28.1-2 Base version: syslog-ng_3.28.1-2 Target version: syslog-ng_3.28.1-2+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/syslog-ng/syslog-ng_3.28.1-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/syslog-ng/syslog-ng_3.28.1-2+deb11u1.dsc changelog | 9 gbp.conf | 4 patches/0001-syslogformat-reorder-functions.patch | 44 + patches/0002-syslogformat-utilize-sd_step.patch | 176 ++++++ patches/0003-syslogformat-sd_step-skip-if-no-char-left.patch | 35 + patches/0004-syslogformat-sd_step-_process_any_char.patch | 259 ++++++++++ patches/0005-syslogformat-skip-cisco-sequence-id-parsing.patch | 31 + patches/0006-syslogformat-fix-out-of-bounds-reading-of-data-buffe.patch | 53 ++ patches/0007-syslogformat-fix-reading-cisco-sequence-id-out-of-bo.patch | 24 patches/0008-timeutils-fix-iterating-out-of-the-range-of-timestam.patch | 25 patches/0009-timeutils-add-tests-for-non-zero-terminated-inputs.patch | 201 +++++++ patches/0010-timeutils-name-repeating-constant.patch | 167 ++++++ patches/0011-timeutils-fix-invalid-calculation-of-ISO-timestamp-l.patch | 68 ++ patches/0012-timeutils-fix-out-of-bounds-reading-of-data-buffer.patch | 33 + patches/series | 12 salsa-ci.yml | 9 16 files changed, 1146 insertions(+), 4 deletions(-) diff -Nru syslog-ng-3.28.1/debian/changelog syslog-ng-3.28.1/debian/changelog --- syslog-ng-3.28.1/debian/changelog 2020-09-13 09:23:18.000000000 +0000 +++ syslog-ng-3.28.1/debian/changelog 2023-02-28 23:51:40.000000000 +0000 @@ -1,3 +1,12 @@ +syslog-ng (3.28.1-2+deb11u1) bullseye-security; urgency=high + + * CVE-2022-38725: Integer overflow and buffer out-of-bounds issues in the + RFC3164 parser, which could allows remote attackers to cause a Denial of + Service via crafted syslog input. + * Fix crash (segflaut) with small invalid formatted logs. + + -- Guilhem Moulin Wed, 01 Mar 2023 00:51:40 +0100 + syslog-ng (3.28.1-2) unstable; urgency=medium * [def6b75] Remove overlay configuration from gbp.conf. diff -Nru syslog-ng-3.28.1/debian/gbp.conf syslog-ng-3.28.1/debian/gbp.conf --- syslog-ng-3.28.1/debian/gbp.conf 2020-09-13 09:23:18.000000000 +0000 +++ syslog-ng-3.28.1/debian/gbp.conf 2023-02-28 23:51:40.000000000 +0000 @@ -3,9 +3,5 @@ debian-tag = debian/syslog-ng-%(version)s upstream-branch = upstream/3.x -[buildpackage] -export-dir = ../build-area/ -tarball-dir = ../ - [import-orig] filter = [".git", "debian/*", ".github"] diff -Nru syslog-ng-3.28.1/debian/patches/0001-syslogformat-reorder-functions.patch syslog-ng-3.28.1/debian/patches/0001-syslogformat-reorder-functions.patch --- syslog-ng-3.28.1/debian/patches/0001-syslogformat-reorder-functions.patch 1970-01-01 00:00:00.000000000 +0000 +++ syslog-ng-3.28.1/debian/patches/0001-syslogformat-reorder-functions.patch 2023-02-28 23:51:40.000000000 +0000 @@ -0,0 +1,44 @@ +From: Kokan +Date: Fri, 24 Jul 2020 10:34:39 +0200 +Subject: syslogformat: reorder functions + +Signed-off-by: Kokan +Origin: https://github.com/syslog-ng/syslog-ng/commit/2fb6a11160ec87f4d49bce16097a2c559fceb527 +--- + modules/syslogformat/syslog-format.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c +index 6d53a32..8c70159 100644 +--- a/modules/syslogformat/syslog-format.c ++++ b/modules/syslogformat/syslog-format.c +@@ -47,6 +47,14 @@ static struct + NVHandle raw_message; + } handles; + ++static inline void ++sd_step(const guchar **data, gint *left) ++{ ++ (*data)++; ++ (*left)--; ++} ++ ++ + static gboolean + log_msg_parse_pri(LogMessage *self, const guchar **data, gint *length, guint flags, guint16 default_pri) + { +@@ -499,14 +507,6 @@ log_msg_parse_hostname(LogMessage *self, const guchar **data, gint *length, + *length = left; + } + +- +-static inline void +-sd_step(const guchar **data, gint *left) +-{ +- (*data)++; +- (*left)--; +-} +- + /** + * log_msg_parse: + * @self: LogMessage instance to store parsed information into diff -Nru syslog-ng-3.28.1/debian/patches/0002-syslogformat-utilize-sd_step.patch syslog-ng-3.28.1/debian/patches/0002-syslogformat-utilize-sd_step.patch --- syslog-ng-3.28.1/debian/patches/0002-syslogformat-utilize-sd_step.patch 1970-01-01 00:00:00.000000000 +0000 +++ syslog-ng-3.28.1/debian/patches/0002-syslogformat-utilize-sd_step.patch 2023-02-28 23:51:40.000000000 +0000 @@ -0,0 +1,176 @@ +From: Kokan +Date: Fri, 24 Jul 2020 10:44:22 +0200 +Subject: syslogformat: utilize sd_step + +Signed-off-by: Kokan +Origin: https://github.com/syslog-ng/syslog-ng/commit/9ec67869fd9b784f56804f175ef8eda68662cd0d +--- + modules/syslogformat/syslog-format.c | 54 ++++++++++++------------------------ + 1 file changed, 18 insertions(+), 36 deletions(-) + +diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c +index 8c70159..ec4b570 100644 +--- a/modules/syslogformat/syslog-format.c ++++ b/modules/syslogformat/syslog-format.c +@@ -65,8 +65,7 @@ log_msg_parse_pri(LogMessage *self, const guchar **data, gint *length, guint fla + + if (left && src[0] == '<') + { +- src++; +- left--; ++ sd_step(&src, &left); + pri = 0; + while (left && *src != '>') + { +@@ -78,14 +77,12 @@ log_msg_parse_pri(LogMessage *self, const guchar **data, gint *length, guint fla + { + return FALSE; + } +- src++; +- left--; ++ sd_step(&src, &left); + } + self->pri = pri; + if (left) + { +- src++; +- left--; ++ sd_step(&src, &left); + } + } + /* No priority info in the buffer? Just assign a default. */ +@@ -108,8 +105,7 @@ log_msg_parse_skip_chars(LogMessage *self, const guchar **data, gint *length, co + + while (max_len && left && _strchr_optimized_for_single_char_haystack(chars, *src)) + { +- src++; +- left--; ++ sd_step(&src, &left); + num_skipped++; + if (max_len >= 0) + max_len--; +@@ -127,8 +123,7 @@ log_msg_parse_skip_space(LogMessage *self, const guchar **data, gint *length) + + if (left > 0 && *src == ' ') + { +- src++; +- left--; ++ sd_step(&src, &left); + } + else + { +@@ -149,8 +144,7 @@ log_msg_parse_skip_chars_until(LogMessage *self, const guchar **data, gint *leng + + while (left && _strchr_optimized_for_single_char_haystack(delims, *src) == 0) + { +- src++; +- left--; ++ sd_step(&src, &left); + num_skipped++; + } + *data = src; +@@ -200,11 +194,9 @@ log_msg_parse_cisco_sequence_id(LogMessage *self, const guchar **data, gint *len + { + if (!isdigit(*src)) + return; +- src++; +- left--; ++ sd_step(&src, &left); + } +- src++; +- left--; ++ sd_step(&src, &left); + + /* if the next char is not space, then we may try to read a date */ + +@@ -230,15 +222,13 @@ log_msg_parse_cisco_timestamp_attributes(LogMessage *self, const guchar **data, + { + if (!(parse_flags & LP_NO_PARSE_DATE)) + log_msg_set_value(self, handles.is_synced, "0", 1); +- src++; +- left--; ++ sd_step(&src, &left); + } + else if (G_UNLIKELY(src[0] == '.')) + { + if (!(parse_flags & LP_NO_PARSE_DATE)) + log_msg_set_value(self, handles.is_synced, "1", 1); +- src++; +- left--; ++ sd_step(&src, &left); + } + *data = src; + *length = left; +@@ -308,8 +298,7 @@ log_msg_parse_version(LogMessage *self, const guchar **data, gint *length) + { + return FALSE; + } +- src++; +- left--; ++ sd_step(&src, &left); + } + if (version != 1) + return FALSE; +@@ -331,8 +320,7 @@ log_msg_parse_legacy_program_name(LogMessage *self, const guchar **data, gint *l + prog_start = src; + while (left && *src != ' ' && *src != '[' && *src != ':') + { +- src++; +- left--; ++ sd_step(&src, &left); + } + log_msg_set_value(self, LM_V_PROGRAM, (gchar *) prog_start, src - prog_start); + if (left > 0 && *src == '[') +@@ -340,8 +328,7 @@ log_msg_parse_legacy_program_name(LogMessage *self, const guchar **data, gint *l + const guchar *pid_start = src + 1; + while (left && *src != ' ' && *src != ']' && *src != ':') + { +- src++; +- left--; ++ sd_step(&src, &left); + } + if (left) + { +@@ -349,19 +336,16 @@ log_msg_parse_legacy_program_name(LogMessage *self, const guchar **data, gint *l + } + if (left > 0 && *src == ']') + { +- src++; +- left--; ++ sd_step(&src, &left); + } + } + if (left > 0 && *src == ':') + { +- src++; +- left--; ++ sd_step(&src, &left); + } + if (left > 0 && *src == ' ') + { +- src++; +- left--; ++ sd_step(&src, &left); + } + if ((flags & LP_STORE_LEGACY_MSGHDR)) + { +@@ -475,8 +459,7 @@ log_msg_parse_hostname(LogMessage *self, const guchar **data, gint *length, + break; + } + hostname_buf[dst++] = *src; +- src++; +- left--; ++ sd_step(&src, &left); + } + hostname_buf[dst] = 0; + +@@ -555,8 +538,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + if (left && src[0] == '-') + { + /* Nothing to do here */ +- src++; +- left--; ++ sd_step(&src, &left); + } + else if (left && src[0] == '[') + { diff -Nru syslog-ng-3.28.1/debian/patches/0003-syslogformat-sd_step-skip-if-no-char-left.patch syslog-ng-3.28.1/debian/patches/0003-syslogformat-sd_step-skip-if-no-char-left.patch --- syslog-ng-3.28.1/debian/patches/0003-syslogformat-sd_step-skip-if-no-char-left.patch 1970-01-01 00:00:00.000000000 +0000 +++ syslog-ng-3.28.1/debian/patches/0003-syslogformat-sd_step-skip-if-no-char-left.patch 2023-02-28 23:51:40.000000000 +0000 @@ -0,0 +1,35 @@ +From: Kokan +Date: Fri, 24 Jul 2020 11:03:19 +0200 +Subject: syslogformat: sd_step skip if no char left + +Fixes #3328 and hopefully a few similuar not discovered crashes like that. + +Signed-off-by: Kokan +Bug: https://github.com/syslog-ng/syslog-ng/issues/3328 +Origin: https://github.com/syslog-ng/syslog-ng/commit/0ce839090986670290461c52d3a70046659e86 +--- + modules/syslogformat/syslog-format.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c +index ec4b570..d81c74e 100644 +--- a/modules/syslogformat/syslog-format.c ++++ b/modules/syslogformat/syslog-format.c +@@ -47,11 +47,16 @@ static struct + NVHandle raw_message; + } handles; + +-static inline void ++static inline gboolean + sd_step(const guchar **data, gint *left) + { ++ if (*left < 1) ++ return FALSE; ++ + (*data)++; + (*left)--; ++ ++ return TRUE; + } + + diff -Nru syslog-ng-3.28.1/debian/patches/0004-syslogformat-sd_step-_process_any_char.patch syslog-ng-3.28.1/debian/patches/0004-syslogformat-sd_step-_process_any_char.patch --- syslog-ng-3.28.1/debian/patches/0004-syslogformat-sd_step-_process_any_char.patch 1970-01-01 00:00:00.000000000 +0000 +++ syslog-ng-3.28.1/debian/patches/0004-syslogformat-sd_step-_process_any_char.patch 2023-02-28 23:51:40.000000000 +0000 @@ -0,0 +1,259 @@ +From: Kokan +Date: Fri, 24 Jul 2020 11:11:19 +0200 +Subject: syslogformat: sd_step -> _process_any_char + +Signed-off-by: Kokan +Origin: https://github.com/syslog-ng/syslog-ng/commit/4117b4b7eaaed215295e0e3bff6e8f6dc9c1842b +--- + modules/syslogformat/syslog-format.c | 60 ++++++++++++++++++------------------ + 1 file changed, 30 insertions(+), 30 deletions(-) + +diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c +index d81c74e..da70d63 100644 +--- a/modules/syslogformat/syslog-format.c ++++ b/modules/syslogformat/syslog-format.c +@@ -48,7 +48,7 @@ static struct + } handles; + + static inline gboolean +-sd_step(const guchar **data, gint *left) ++_process_any_char(const guchar **data, gint *left) + { + if (*left < 1) + return FALSE; +@@ -70,7 +70,7 @@ log_msg_parse_pri(LogMessage *self, const guchar **data, gint *length, guint fla + + if (left && src[0] == '<') + { +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + pri = 0; + while (left && *src != '>') + { +@@ -82,12 +82,12 @@ log_msg_parse_pri(LogMessage *self, const guchar **data, gint *length, guint fla + { + return FALSE; + } +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + } + self->pri = pri; + if (left) + { +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + } + } + /* No priority info in the buffer? Just assign a default. */ +@@ -110,7 +110,7 @@ log_msg_parse_skip_chars(LogMessage *self, const guchar **data, gint *length, co + + while (max_len && left && _strchr_optimized_for_single_char_haystack(chars, *src)) + { +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + num_skipped++; + if (max_len >= 0) + max_len--; +@@ -128,7 +128,7 @@ log_msg_parse_skip_space(LogMessage *self, const guchar **data, gint *length) + + if (left > 0 && *src == ' ') + { +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + } + else + { +@@ -149,7 +149,7 @@ log_msg_parse_skip_chars_until(LogMessage *self, const guchar **data, gint *leng + + while (left && _strchr_optimized_for_single_char_haystack(delims, *src) == 0) + { +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + num_skipped++; + } + *data = src; +@@ -199,9 +199,9 @@ log_msg_parse_cisco_sequence_id(LogMessage *self, const guchar **data, gint *len + { + if (!isdigit(*src)) + return; +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + } +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + + /* if the next char is not space, then we may try to read a date */ + +@@ -227,13 +227,13 @@ log_msg_parse_cisco_timestamp_attributes(LogMessage *self, const guchar **data, + { + if (!(parse_flags & LP_NO_PARSE_DATE)) + log_msg_set_value(self, handles.is_synced, "0", 1); +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + } + else if (G_UNLIKELY(src[0] == '.')) + { + if (!(parse_flags & LP_NO_PARSE_DATE)) + log_msg_set_value(self, handles.is_synced, "1", 1); +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + } + *data = src; + *length = left; +@@ -303,7 +303,7 @@ log_msg_parse_version(LogMessage *self, const guchar **data, gint *length) + { + return FALSE; + } +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + } + if (version != 1) + return FALSE; +@@ -325,7 +325,7 @@ log_msg_parse_legacy_program_name(LogMessage *self, const guchar **data, gint *l + prog_start = src; + while (left && *src != ' ' && *src != '[' && *src != ':') + { +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + } + log_msg_set_value(self, LM_V_PROGRAM, (gchar *) prog_start, src - prog_start); + if (left > 0 && *src == '[') +@@ -333,7 +333,7 @@ log_msg_parse_legacy_program_name(LogMessage *self, const guchar **data, gint *l + const guchar *pid_start = src + 1; + while (left && *src != ' ' && *src != ']' && *src != ':') + { +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + } + if (left) + { +@@ -341,16 +341,16 @@ log_msg_parse_legacy_program_name(LogMessage *self, const guchar **data, gint *l + } + if (left > 0 && *src == ']') + { +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + } + } + if (left > 0 && *src == ':') + { +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + } + if (left > 0 && *src == ' ') + { +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + } + if ((flags & LP_STORE_LEGACY_MSGHDR)) + { +@@ -464,7 +464,7 @@ log_msg_parse_hostname(LogMessage *self, const guchar **data, gint *length, + break; + } + hostname_buf[dst++] = *src; +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + } + hostname_buf[dst] = 0; + +@@ -543,11 +543,11 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + if (left && src[0] == '-') + { + /* Nothing to do here */ +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + } + else if (left && src[0] == '[') + { +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + open_sd++; + do + { +@@ -574,7 +574,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + { + goto error; + } +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + } + + if (pos == 0) +@@ -598,7 +598,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + while (left && *src != ']') + { + if (left && *src == ' ') /* skip the ' ' before the parameter name */ +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + else + goto error; + +@@ -623,14 +623,14 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + { + goto error; + } +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + } + sd_param_name[pos] = 0; + strncpy(&sd_value_name[logmsg_sd_prefix_len + 1 + sd_id_len], sd_param_name, + sizeof(sd_value_name) - logmsg_sd_prefix_len - 1 - sd_id_len); + + if (left && *src == '=') +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + else + goto error; + +@@ -640,7 +640,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + { + gboolean quote = FALSE; + /* opening quote */ +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + pos = 0; + + while (left && (*src != '"' || quote)) +@@ -658,7 +658,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + } + else if (!quote && *src == ']') + { +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + goto error; + } + if (pos < sizeof(sd_param_value) - 1) +@@ -668,13 +668,13 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + } + quote = FALSE; + } +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + } + sd_param_value[pos] = 0; + sd_param_value_len = pos; + + if (left && *src == '"')/* closing quote */ +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + else + goto error; + } +@@ -688,7 +688,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + + if (left && *src == ']') + { +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + open_sd--; + } + else +@@ -700,7 +700,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + if (left && *src == '[') + { + /* new structured data begins, thus continue iteration */ +- sd_step(&src, &left); ++ _process_any_char(&src, &left); + open_sd++; + } + } diff -Nru syslog-ng-3.28.1/debian/patches/0005-syslogformat-skip-cisco-sequence-id-parsing.patch syslog-ng-3.28.1/debian/patches/0005-syslogformat-skip-cisco-sequence-id-parsing.patch --- syslog-ng-3.28.1/debian/patches/0005-syslogformat-skip-cisco-sequence-id-parsing.patch 1970-01-01 00:00:00.000000000 +0000 +++ syslog-ng-3.28.1/debian/patches/0005-syslogformat-skip-cisco-sequence-id-parsing.patch 2023-02-28 23:51:40.000000000 +0000 @@ -0,0 +1,31 @@ +From: Kokan +Date: Fri, 24 Jul 2020 11:20:44 +0200 +Subject: syslogformat: skip cisco sequence id parsing + +If the parsing of cisco sequence id is failing, re-submit the string part it +tried and skip setting sequence id. + +Signed-off-by: Kokan +Origin: https://github.com/syslog-ng/syslog-ng/commit/849305fc35f4097201183b25200f2af3ad56d404 +--- + modules/syslogformat/syslog-format.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c +index da70d63..dd1ce83 100644 +--- a/modules/syslogformat/syslog-format.c ++++ b/modules/syslogformat/syslog-format.c +@@ -199,9 +199,11 @@ log_msg_parse_cisco_sequence_id(LogMessage *self, const guchar **data, gint *len + { + if (!isdigit(*src)) + return; +- _process_any_char(&src, &left); ++ if (!_process_any_char(&src, &left)) ++ return; + } +- _process_any_char(&src, &left); ++ if (!_process_any_char(&src, &left)) ++ return; + + /* if the next char is not space, then we may try to read a date */ + diff -Nru syslog-ng-3.28.1/debian/patches/0006-syslogformat-fix-out-of-bounds-reading-of-data-buffe.patch syslog-ng-3.28.1/debian/patches/0006-syslogformat-fix-out-of-bounds-reading-of-data-buffe.patch --- syslog-ng-3.28.1/debian/patches/0006-syslogformat-fix-out-of-bounds-reading-of-data-buffe.patch 1970-01-01 00:00:00.000000000 +0000 +++ syslog-ng-3.28.1/debian/patches/0006-syslogformat-fix-out-of-bounds-reading-of-data-buffe.patch 2023-02-28 23:51:40.000000000 +0000 @@ -0,0 +1,53 @@ +From: László Várady +Date: Sat, 20 Aug 2022 12:26:05 +0200 +Subject: syslogformat: fix out-of-bounds reading of data buffer + +Signed-off-by: László Várady +Origin: https://github.com/syslog-ng/syslog-ng/commit/b5a060f2ebb8d794f508436a12e4d4163f94b1b8 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2022-38725 +--- + modules/syslogformat/syslog-format.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c +index dd1ce83..fc3a89e 100644 +--- a/modules/syslogformat/syslog-format.c ++++ b/modules/syslogformat/syslog-format.c +@@ -223,6 +223,9 @@ log_msg_parse_cisco_timestamp_attributes(LogMessage *self, const guchar **data, + const guchar *src = *data; + gint left = *length; + ++ if (!left) ++ return; ++ + /* Cisco timestamp extensions, the first '*' indicates that the clock is + * unsynced, '.' if it is known to be synced */ + if (G_UNLIKELY(src[0] == '*')) +@@ -553,7 +556,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + open_sd++; + do + { +- if (!isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') ++ if (!left || !isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') + goto error; + /* read sd_id */ + pos = 0; +@@ -587,7 +590,8 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + strcpy(sd_value_name, logmsg_sd_prefix); + /* this strcat is safe, as sd_id_name is at most 32 chars */ + strncpy(sd_value_name + logmsg_sd_prefix_len, sd_id_name, sizeof(sd_value_name) - logmsg_sd_prefix_len); +- if (*src == ']') ++ ++ if (left && *src == ']') + { + log_msg_set_value_by_name(self, sd_value_name, "", 0); + } +@@ -604,7 +608,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + else + goto error; + +- if (!isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') ++ if (!left || !isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') + goto error; + + /* read sd-param */ diff -Nru syslog-ng-3.28.1/debian/patches/0007-syslogformat-fix-reading-cisco-sequence-id-out-of-bo.patch syslog-ng-3.28.1/debian/patches/0007-syslogformat-fix-reading-cisco-sequence-id-out-of-bo.patch --- syslog-ng-3.28.1/debian/patches/0007-syslogformat-fix-reading-cisco-sequence-id-out-of-bo.patch 1970-01-01 00:00:00.000000000 +0000 +++ syslog-ng-3.28.1/debian/patches/0007-syslogformat-fix-reading-cisco-sequence-id-out-of-bo.patch 2023-02-28 23:51:40.000000000 +0000 @@ -0,0 +1,24 @@ +From: László Várady +Date: Sun, 21 Aug 2022 18:44:28 +0200 +Subject: syslogformat: fix reading cisco sequence id out of bounds + +Signed-off-by: László Várady +Origin: https://github.com/syslog-ng/syslog-ng/commit/4b8dc56ca8eaeac4c8751a305eb7eeefab8dc89d +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2022-38725 +--- + modules/syslogformat/syslog-format.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c +index fc3a89e..76bf62e 100644 +--- a/modules/syslogformat/syslog-format.c ++++ b/modules/syslogformat/syslog-format.c +@@ -207,7 +207,7 @@ log_msg_parse_cisco_sequence_id(LogMessage *self, const guchar **data, gint *len + + /* if the next char is not space, then we may try to read a date */ + +- if (*src != ' ') ++ if (!left || *src != ' ') + return; + + log_msg_set_value(self, handles.cisco_seqid, (gchar *) *data, *length - left - 1); diff -Nru syslog-ng-3.28.1/debian/patches/0008-timeutils-fix-iterating-out-of-the-range-of-timestam.patch syslog-ng-3.28.1/debian/patches/0008-timeutils-fix-iterating-out-of-the-range-of-timestam.patch --- syslog-ng-3.28.1/debian/patches/0008-timeutils-fix-iterating-out-of-the-range-of-timestam.patch 1970-01-01 00:00:00.000000000 +0000 +++ syslog-ng-3.28.1/debian/patches/0008-timeutils-fix-iterating-out-of-the-range-of-timestam.patch 2023-02-28 23:51:40.000000000 +0000 @@ -0,0 +1,25 @@ +From: László Várady +Date: Sat, 20 Aug 2022 12:42:38 +0200 +Subject: timeutils: fix iterating out of the range of timestamp buffer + +Signed-off-by: László Várady +Signed-off-by: Balazs Scheidler +Origin: https://github.com/syslog-ng/syslog-ng/commit/73b5c300b8fde5e7a4824baa83a04931279abb37 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2022-38725 +--- + lib/timeutils/scan-timestamp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/timeutils/scan-timestamp.c b/lib/timeutils/scan-timestamp.c +index 2f6a6b7..cb6802d 100644 +--- a/lib/timeutils/scan-timestamp.c ++++ b/lib/timeutils/scan-timestamp.c +@@ -328,7 +328,7 @@ __parse_usec(const guchar **data, gint *length) + src++; + (*length)--; + } +- while (isdigit(*src)) ++ while (*length > 0 && isdigit(*src)) + { + src++; + (*length)--; diff -Nru syslog-ng-3.28.1/debian/patches/0009-timeutils-add-tests-for-non-zero-terminated-inputs.patch syslog-ng-3.28.1/debian/patches/0009-timeutils-add-tests-for-non-zero-terminated-inputs.patch --- syslog-ng-3.28.1/debian/patches/0009-timeutils-add-tests-for-non-zero-terminated-inputs.patch 1970-01-01 00:00:00.000000000 +0000 +++ syslog-ng-3.28.1/debian/patches/0009-timeutils-add-tests-for-non-zero-terminated-inputs.patch 2023-02-28 23:51:40.000000000 +0000 @@ -0,0 +1,201 @@ +From: Balazs Scheidler +Date: Sat, 20 Aug 2022 12:43:42 +0200 +Subject: timeutils: add tests for non-zero terminated inputs + +Signed-off-by: Balazs Scheidler +Origin: https://github.com/syslog-ng/syslog-ng/commit/45f051239312e43bd4f92b9339fe67c6798a0321 +--- + lib/timeutils/tests/test_scan-timestamp.c | 126 +++++++++++++++++++++++++++--- + 1 file changed, 113 insertions(+), 13 deletions(-) + +diff --git a/lib/timeutils/tests/test_scan-timestamp.c b/lib/timeutils/tests/test_scan-timestamp.c +index 2756bf3..da375c8 100644 +--- a/lib/timeutils/tests/test_scan-timestamp.c ++++ b/lib/timeutils/tests/test_scan-timestamp.c +@@ -49,17 +49,21 @@ fake_time_add(time_t diff) + } + + static gboolean +-_parse_rfc3164(const gchar *ts, gchar isotimestamp[32]) ++_parse_rfc3164(const gchar *ts, gint len, gchar isotimestamp[32]) + { + UnixTime stamp; +- const guchar *data = (const guchar *) ts; +- gint length = strlen(ts); ++ const guchar *tsu = (const guchar *) ts; ++ gint tsu_len = len < 0 ? strlen(ts) : len; + GString *result = g_string_new(""); + WallClockTime wct = WALL_CLOCK_TIME_INIT; + +- ++ const guchar *data = tsu; ++ gint length = tsu_len; + gboolean success = scan_rfc3164_timestamp(&data, &length, &wct); + ++ cr_assert(length >= 0); ++ cr_assert(data == &tsu[tsu_len - length]); ++ + unix_time_unset(&stamp); + convert_wall_clock_time_to_unix_time(&wct, &stamp); + +@@ -70,16 +74,21 @@ _parse_rfc3164(const gchar *ts, gchar isotimestamp[32]) + } + + static gboolean +-_parse_rfc5424(const gchar *ts, gchar isotimestamp[32]) ++_parse_rfc5424(const gchar *ts, gint len, gchar isotimestamp[32]) + { + UnixTime stamp; +- const guchar *data = (const guchar *) ts; +- gint length = strlen(ts); ++ const guchar *tsu = (const guchar *) ts; ++ gint tsu_len = len < 0 ? strlen(ts) : len; + GString *result = g_string_new(""); + WallClockTime wct = WALL_CLOCK_TIME_INIT; + ++ const guchar *data = tsu; ++ gint length = tsu_len; + gboolean success = scan_rfc5424_timestamp(&data, &length, &wct); + ++ cr_assert(length >= 0); ++ cr_assert(data == &tsu[tsu_len - length]); ++ + unix_time_unset(&stamp); + convert_wall_clock_time_to_unix_time(&wct, &stamp); + +@@ -90,31 +99,60 @@ _parse_rfc5424(const gchar *ts, gchar isotimestamp[32]) + } + + static gboolean +-_rfc3164_timestamp_eq(const gchar *ts, const gchar *expected, gchar converted[32]) ++_rfc3164_timestamp_eq(const gchar *ts, gint len, const gchar *expected, gchar converted[32]) + { +- cr_assert(_parse_rfc3164(ts, converted)); ++ cr_assert(_parse_rfc3164(ts, len, converted)); + return strcmp(converted, expected) == 0; + } + + static gboolean +-_rfc5424_timestamp_eq(const gchar *ts, const gchar *expected, gchar converted[32]) ++_rfc5424_timestamp_eq(const gchar *ts, gint len, const gchar *expected, gchar converted[32]) + { +- cr_assert(_parse_rfc5424(ts, converted)); ++ cr_assert(_parse_rfc5424(ts, len, converted)); + return strcmp(converted, expected) == 0; + } + + #define _expect_rfc3164_timestamp_eq(ts, expected) \ + ({ \ + gchar converted[32]; \ +- cr_expect(_rfc3164_timestamp_eq(ts, expected, converted), "Parsed RFC3164 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ cr_expect(_rfc3164_timestamp_eq(ts, -1, expected, converted), "Parsed RFC3164 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ }) ++ ++#define _expect_rfc3164_timestamp_len_eq(ts, len, expected) \ ++ ({ \ ++ gchar converted[32]; \ ++ cr_expect(_rfc3164_timestamp_eq(ts, len, expected, converted), "Parsed RFC3164 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ }) ++ ++#define _expect_rfc3164_fails(ts, len) \ ++ ({ \ ++ WallClockTime wct = WALL_CLOCK_TIME_INIT; \ ++ const guchar *data = (guchar *) ts; \ ++ gint length = len < 0 ? strlen(ts) : len; \ ++ cr_assert_not(scan_rfc3164_timestamp(&data, &length, &wct)); \ + }) + + #define _expect_rfc5424_timestamp_eq(ts, expected) \ + ({ \ + gchar converted[32]; \ +- cr_expect(_rfc5424_timestamp_eq(ts, expected, converted), "Parsed RFC5424 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ cr_expect(_rfc5424_timestamp_eq(ts, -1, expected, converted), "Parsed RFC5424 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ }) ++ ++#define _expect_rfc5424_timestamp_len_eq(ts, len, expected) \ ++ ({ \ ++ gchar converted[32]; \ ++ cr_expect(_rfc5424_timestamp_eq(ts, len, expected, converted), "Parsed RFC5424 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ }) ++ ++#define _expect_rfc5424_fails(ts, len) \ ++ ({ \ ++ WallClockTime wct = WALL_CLOCK_TIME_INIT; \ ++ const guchar *data = (guchar *) ts; \ ++ gint length = len < 0 ? strlen(ts) : len; \ ++ cr_assert_not(scan_rfc5424_timestamp(&data, &length, &wct)); \ + }) + ++ + Test(parse_timestamp, standard_bsd_format) + { + _expect_rfc3164_timestamp_eq("Oct 1 17:46:12", "2017-10-01T17:46:12.000+02:00"); +@@ -148,6 +186,68 @@ Test(parse_timestamp, standard_bsd_format_year_in_the_past) + _expect_rfc3164_timestamp_eq("Dec 31 17:46:12", "2017-12-31T17:46:12.000+01:00"); + } + ++Test(parse_timestamp, non_zero_terminated_rfc3164_iso_input_is_handled_properly) ++{ ++ gchar *ts = "2022-08-17T05:02:28.417Z whatever"; ++ gint ts_len = 24; ++ ++ _expect_rfc3164_timestamp_len_eq(ts, strlen(ts), "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len + 5, "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len, "2022-08-17T05:02:28.417+00:00"); ++ ++ /* no "Z" parsed, timezone defaults to local, forced CET */ ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 1, "2022-08-17T05:02:28.417+02:00"); ++ ++ /* msec is partially parsed as we trim the string from the right */ ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 2, "2022-08-17T05:02:28.410+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 3, "2022-08-17T05:02:28.400+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 4, "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 5, "2022-08-17T05:02:28.000+02:00"); ++ ++ for (gint i = 6; i < ts_len; i++) ++ _expect_rfc3164_fails(ts, ts_len - i); ++ ++} ++ ++Test(parse_timestamp, non_zero_terminated_rfc3164_bsd_pix_or_asa_input_is_handled_properly) ++{ ++ gchar *ts = "Aug 17 2022 05:02:28: whatever"; ++ gint ts_len = 21; ++ ++ _expect_rfc3164_timestamp_len_eq(ts, strlen(ts), "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len + 5, "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len, "2022-08-17T05:02:28.000+02:00"); ++ ++ /* no ":" at the end, that's a problem, unrecognized */ ++ _expect_rfc3164_fails(ts, ts_len - 1); ++ ++ for (gint i = 1; i < ts_len; i++) ++ _expect_rfc3164_fails(ts, ts_len - i); ++} ++ ++Test(parse_timestamp, non_zero_terminated_rfc5424_input_is_handled_properly) ++{ ++ gchar *ts = "2022-08-17T05:02:28.417Z whatever"; ++ gint ts_len = 24; ++ ++ _expect_rfc5424_timestamp_len_eq(ts, strlen(ts), "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len + 5, "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len, "2022-08-17T05:02:28.417+00:00"); ++ ++ /* no "Z" parsed, timezone defaults to local, forced CET */ ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 1, "2022-08-17T05:02:28.417+02:00"); ++ ++ /* msec is partially parsed as we trim the string from the right */ ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 2, "2022-08-17T05:02:28.410+02:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 3, "2022-08-17T05:02:28.400+02:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 4, "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 5, "2022-08-17T05:02:28.000+02:00"); ++ ++ for (gint i = 6; i < ts_len; i++) ++ _expect_rfc5424_fails(ts, ts_len - i); ++ ++} ++ + + Test(parse_timestamp, daylight_saving_behavior_at_spring_with_explicit_timezones) + { diff -Nru syslog-ng-3.28.1/debian/patches/0010-timeutils-name-repeating-constant.patch syslog-ng-3.28.1/debian/patches/0010-timeutils-name-repeating-constant.patch --- syslog-ng-3.28.1/debian/patches/0010-timeutils-name-repeating-constant.patch 1970-01-01 00:00:00.000000000 +0000 +++ syslog-ng-3.28.1/debian/patches/0010-timeutils-name-repeating-constant.patch 2023-02-28 23:51:40.000000000 +0000 @@ -0,0 +1,167 @@ +From: László Várady +Date: Sat, 20 Aug 2022 14:29:43 +0200 +Subject: timeutils: name repeating constant + +Signed-off-by: László Várady +Origin: https://github.com/syslog-ng/syslog-ng/commit/09f489c89c826293ff8cbd282cfc866ab56054c4 +--- + lib/timeutils/scan-timestamp.c | 54 +++++++++++++++++++++++------------------- + 1 file changed, 29 insertions(+), 25 deletions(-) + +diff --git a/lib/timeutils/scan-timestamp.c b/lib/timeutils/scan-timestamp.c +index cb6802d..197e3ad 100644 +--- a/lib/timeutils/scan-timestamp.c ++++ b/lib/timeutils/scan-timestamp.c +@@ -34,41 +34,43 @@ scan_day_abbrev(const gchar **buf, gint *left, gint *wday) + { + *wday = -1; + +- if (*left < 3) ++ const gsize abbrev_length = 3; ++ ++ if (*left < abbrev_length) + return FALSE; + + switch (**buf) + { + case 'S': +- if (strncasecmp(*buf, "Sun", 3) == 0) ++ if (strncasecmp(*buf, "Sun", abbrev_length) == 0) + *wday = 0; +- else if (strncasecmp(*buf, "Sat", 3) == 0) ++ else if (strncasecmp(*buf, "Sat", abbrev_length) == 0) + *wday = 6; + else + return FALSE; + break; + case 'M': +- if (strncasecmp(*buf, "Mon", 3) == 0) ++ if (strncasecmp(*buf, "Mon", abbrev_length) == 0) + *wday = 1; + else + return FALSE; + break; + case 'T': +- if (strncasecmp(*buf, "Tue", 3) == 0) ++ if (strncasecmp(*buf, "Tue", abbrev_length) == 0) + *wday = 2; +- else if (strncasecmp(*buf, "Thu", 3) == 0) ++ else if (strncasecmp(*buf, "Thu", abbrev_length) == 0) + *wday = 4; + else + return FALSE; + break; + case 'W': +- if (strncasecmp(*buf, "Wed", 3) == 0) ++ if (strncasecmp(*buf, "Wed", abbrev_length) == 0) + *wday = 3; + else + return FALSE; + break; + case 'F': +- if (strncasecmp(*buf, "Fri", 3) == 0) ++ if (strncasecmp(*buf, "Fri", abbrev_length) == 0) + *wday = 5; + else + return FALSE; +@@ -77,8 +79,8 @@ scan_day_abbrev(const gchar **buf, gint *left, gint *wday) + return FALSE; + } + +- (*buf) += 3; +- (*left) -= 3; ++ (*buf) += abbrev_length; ++ (*left) -= abbrev_length; + return TRUE; + } + +@@ -87,63 +89,65 @@ scan_month_abbrev(const gchar **buf, gint *left, gint *mon) + { + *mon = -1; + +- if (*left < 3) ++ const gsize abbrev_length = 3; ++ ++ if (*left < abbrev_length) + return FALSE; + + switch (**buf) + { + case 'J': +- if (strncasecmp(*buf, "Jan", 3) == 0) ++ if (strncasecmp(*buf, "Jan", abbrev_length) == 0) + *mon = 0; +- else if (strncasecmp(*buf, "Jun", 3) == 0) ++ else if (strncasecmp(*buf, "Jun", abbrev_length) == 0) + *mon = 5; +- else if (strncasecmp(*buf, "Jul", 3) == 0) ++ else if (strncasecmp(*buf, "Jul", abbrev_length) == 0) + *mon = 6; + else + return FALSE; + break; + case 'F': +- if (strncasecmp(*buf, "Feb", 3) == 0) ++ if (strncasecmp(*buf, "Feb", abbrev_length) == 0) + *mon = 1; + else + return FALSE; + break; + case 'M': +- if (strncasecmp(*buf, "Mar", 3) == 0) ++ if (strncasecmp(*buf, "Mar", abbrev_length) == 0) + *mon = 2; +- else if (strncasecmp(*buf, "May", 3) == 0) ++ else if (strncasecmp(*buf, "May", abbrev_length) == 0) + *mon = 4; + else + return FALSE; + break; + case 'A': +- if (strncasecmp(*buf, "Apr", 3) == 0) ++ if (strncasecmp(*buf, "Apr", abbrev_length) == 0) + *mon = 3; +- else if (strncasecmp(*buf, "Aug", 3) == 0) ++ else if (strncasecmp(*buf, "Aug", abbrev_length) == 0) + *mon = 7; + else + return FALSE; + break; + case 'S': +- if (strncasecmp(*buf, "Sep", 3) == 0) ++ if (strncasecmp(*buf, "Sep", abbrev_length) == 0) + *mon = 8; + else + return FALSE; + break; + case 'O': +- if (strncasecmp(*buf, "Oct", 3) == 0) ++ if (strncasecmp(*buf, "Oct", abbrev_length) == 0) + *mon = 9; + else + return FALSE; + break; + case 'N': +- if (strncasecmp(*buf, "Nov", 3) == 0) ++ if (strncasecmp(*buf, "Nov", abbrev_length) == 0) + *mon = 10; + else + return FALSE; + break; + case 'D': +- if (strncasecmp(*buf, "Dec", 3) == 0) ++ if (strncasecmp(*buf, "Dec", abbrev_length) == 0) + *mon = 11; + else + return FALSE; +@@ -152,8 +156,8 @@ scan_month_abbrev(const gchar **buf, gint *left, gint *mon) + return FALSE; + } + +- (*buf) += 3; +- (*left) -= 3; ++ (*buf) += abbrev_length; ++ (*left) -= abbrev_length; + return TRUE; + } + diff -Nru syslog-ng-3.28.1/debian/patches/0011-timeutils-fix-invalid-calculation-of-ISO-timestamp-l.patch syslog-ng-3.28.1/debian/patches/0011-timeutils-fix-invalid-calculation-of-ISO-timestamp-l.patch --- syslog-ng-3.28.1/debian/patches/0011-timeutils-fix-invalid-calculation-of-ISO-timestamp-l.patch 1970-01-01 00:00:00.000000000 +0000 +++ syslog-ng-3.28.1/debian/patches/0011-timeutils-fix-invalid-calculation-of-ISO-timestamp-l.patch 2023-02-28 23:51:40.000000000 +0000 @@ -0,0 +1,68 @@ +From: László Várady +Date: Sat, 20 Aug 2022 14:30:22 +0200 +Subject: timeutils: fix invalid calculation of ISO timestamp length + +Signed-off-by: László Várady +Origin: https://github.com/syslog-ng/syslog-ng/commit/8c6e2c1c41b0fcc5fbd464c35f4dac7102235396 +--- + lib/timeutils/scan-timestamp.c | 8 ++++++-- + lib/timeutils/tests/test_scan-timestamp.c | 7 +++++++ + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/lib/timeutils/scan-timestamp.c b/lib/timeutils/scan-timestamp.c +index 197e3ad..4e618e4 100644 +--- a/lib/timeutils/scan-timestamp.c ++++ b/lib/timeutils/scan-timestamp.c +@@ -346,19 +346,21 @@ __parse_usec(const guchar **data, gint *length) + static gboolean + __has_iso_timezone(const guchar *src, gint length) + { +- return (length >= 5) && ++ return (length >= 6) && + (*src == '+' || *src == '-') && + isdigit(*(src+1)) && + isdigit(*(src+2)) && + *(src+3) == ':' && + isdigit(*(src+4)) && + isdigit(*(src+5)) && +- !isdigit(*(src+6)); ++ (length < 7 || !isdigit(*(src+6))); + } + + static guint32 + __parse_iso_timezone(const guchar **data, gint *length) + { ++ g_assert(*length >= 6); ++ + gint hours, mins; + const guchar *src = *data; + guint32 tz = 0; +@@ -368,8 +370,10 @@ __parse_iso_timezone(const guchar **data, gint *length) + hours = (*(src + 1) - '0') * 10 + *(src + 2) - '0'; + mins = (*(src + 4) - '0') * 10 + *(src + 5) - '0'; + tz = sign * (hours * 3600 + mins * 60); ++ + src += 6; + (*length) -= 6; ++ + *data = src; + return tz; + } +diff --git a/lib/timeutils/tests/test_scan-timestamp.c b/lib/timeutils/tests/test_scan-timestamp.c +index da375c8..9b38738 100644 +--- a/lib/timeutils/tests/test_scan-timestamp.c ++++ b/lib/timeutils/tests/test_scan-timestamp.c +@@ -248,6 +248,13 @@ Test(parse_timestamp, non_zero_terminated_rfc5424_input_is_handled_properly) + + } + ++Test(parse_timestamp, non_zero_terminated_rfc5424_timestamp_only) ++{ ++ const gchar *ts = "2022-08-17T05:02:28.417+03:00"; ++ gint ts_len = strlen(ts); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len, ts); ++} ++ + + Test(parse_timestamp, daylight_saving_behavior_at_spring_with_explicit_timezones) + { diff -Nru syslog-ng-3.28.1/debian/patches/0012-timeutils-fix-out-of-bounds-reading-of-data-buffer.patch syslog-ng-3.28.1/debian/patches/0012-timeutils-fix-out-of-bounds-reading-of-data-buffer.patch --- syslog-ng-3.28.1/debian/patches/0012-timeutils-fix-out-of-bounds-reading-of-data-buffer.patch 1970-01-01 00:00:00.000000000 +0000 +++ syslog-ng-3.28.1/debian/patches/0012-timeutils-fix-out-of-bounds-reading-of-data-buffer.patch 2023-02-28 23:51:40.000000000 +0000 @@ -0,0 +1,33 @@ +From: László Várady +Date: Sat, 20 Aug 2022 14:30:51 +0200 +Subject: timeutils: fix out-of-bounds reading of data buffer + +Signed-off-by: László Várady +Origin: https://github.com/syslog-ng/syslog-ng/commit/56f881c5eaa3d8c02c96607c4b9e4eaf959a044d +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2022-38725 +--- + lib/timeutils/scan-timestamp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/timeutils/scan-timestamp.c b/lib/timeutils/scan-timestamp.c +index 4e618e4..0f7f52e 100644 +--- a/lib/timeutils/scan-timestamp.c ++++ b/lib/timeutils/scan-timestamp.c +@@ -427,7 +427,7 @@ __parse_bsd_timestamp(const guchar **data, gint *length, WallClockTime *wct) + if (!scan_pix_timestamp((const gchar **) &src, &left, wct)) + return FALSE; + +- if (*src == ':') ++ if (left && *src == ':') + { + src++; + left--; +@@ -478,7 +478,7 @@ scan_rfc3164_timestamp(const guchar **data, gint *length, WallClockTime *wct) + * looking at you, skip that as well, so we can reliably detect IPv6 + * addresses as hostnames, which would be using ":" as well. */ + +- if (*src == ':') ++ if (left && *src == ':') + { + ++src; + --left; diff -Nru syslog-ng-3.28.1/debian/patches/series syslog-ng-3.28.1/debian/patches/series --- syslog-ng-3.28.1/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ syslog-ng-3.28.1/debian/patches/series 2023-02-28 23:51:40.000000000 +0000 @@ -0,0 +1,12 @@ +0001-syslogformat-reorder-functions.patch +0002-syslogformat-utilize-sd_step.patch +0003-syslogformat-sd_step-skip-if-no-char-left.patch +0004-syslogformat-sd_step-_process_any_char.patch +0005-syslogformat-skip-cisco-sequence-id-parsing.patch +0006-syslogformat-fix-out-of-bounds-reading-of-data-buffe.patch +0007-syslogformat-fix-reading-cisco-sequence-id-out-of-bo.patch +0008-timeutils-fix-iterating-out-of-the-range-of-timestam.patch +0009-timeutils-add-tests-for-non-zero-terminated-inputs.patch +0010-timeutils-name-repeating-constant.patch +0011-timeutils-fix-invalid-calculation-of-ISO-timestamp-l.patch +0012-timeutils-fix-out-of-bounds-reading-of-data-buffer.patch diff -Nru syslog-ng-3.28.1/debian/salsa-ci.yml syslog-ng-3.28.1/debian/salsa-ci.yml --- syslog-ng-3.28.1/debian/salsa-ci.yml 1970-01-01 00:00:00.000000000 +0000 +++ syslog-ng-3.28.1/debian/salsa-ci.yml 2023-02-28 23:51:40.000000000 +0000 @@ -0,0 +1,9 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + RELEASE: 'bullseye' + SALSA_CI_DISABLE_REPROTEST: 1 + SALSA_CI_DISABLE_LINTIAN: 1 + SALSA_CI_DISABLE_BLHC: 1