Bug#605578: unblock: rsyslog/4.6.4-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#605578: unblock: rsyslog/4.6.4-2
From: Michael Biebl <biebl@debian.org>
Date: Wed, 01 Dec 2010 15:09:08 +0100
Message-id: <[🔎] 20101201140908.31931.36063.reportbug@localhost6.localdomain6>
Reply-to: Michael Biebl <biebl@debian.org>, 605578@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: freeze-exception

Please unblock package rsyslog

It fixes a rather nasty bug in the TLS netstream driver which could lead
to a DoS.

Changelog:

rsyslog (4.6.4-2) unstable; urgency=low

  * debian/patches/02-tls_loop_fix.patch
    - Fix bug in TLS handling which could cause rsyslog to loop in a tight
      loop and eating up all CPU and RAM resources. Closes: #549168
      Patch cherry-picked from upstream Git.

 -- Michael Biebl <biebl@debian.org>  Tue, 30 Nov 2010 14:50:15 +0100


debdiff attached.

Thanks,
Michael


unblock rsyslog/4.6.4-2

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff --git a/debian/changelog b/debian/changelog
index d1f0088..ad31baf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+rsyslog (4.6.4-2) unstable; urgency=low
+
+  * debian/patches/02-tls_loop_fix.patch
+    - Fix bug in TLS handling which could cause rsyslog to loop in a tight
+      loop and eating up all CPU and RAM resources. Closes: #549168
+      Patch cherry-picked from upstream Git.
+
+ -- Michael Biebl <biebl@debian.org>  Tue, 30 Nov 2010 14:50:15 +0100
+
 rsyslog (4.6.4-1) unstable; urgency=low
 
   * New upstream release.
diff --git a/debian/patches/02-tls_loop_fix.patch b/debian/patches/02-tls_loop_fix.patch
new file mode 100644
index 0000000..26992b4
--- /dev/null
+++ b/debian/patches/02-tls_loop_fix.patch
@@ -0,0 +1,59 @@
+commit 925504d565c6cf4a712dd8c8217891662aaf639e
+Author: Rainer Gerhards <rgerhards@adiscon.com>
+Date:   Wed Nov 24 11:14:21 2010 +0100
+
+    bugfix(important): problem in TLS handling could cause rsyslog to loop
+    
+    ... in a tight loop, effectively disabling functionality and bearing the
+    risk of unresponsiveness of the whole system.
+    Bug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=194
+
+diff --git a/runtime/nsdsel_gtls.c b/runtime/nsdsel_gtls.c
+index c3a93be..1a389a0 100644
+--- a/runtime/nsdsel_gtls.c
++++ b/runtime/nsdsel_gtls.c
+@@ -76,6 +76,9 @@ Add(nsdsel_t *pNsdsel, nsd_t *pNsd, nsdsel_waitOp_t waitOp)
+ 	if(pNsdGTLS->iMode == 1) {
+ 		if(waitOp == NSDSEL_RD && gtlsHasRcvInBuffer(pNsdGTLS)) {
+ 			++pThis->iBufferRcvReady;
++			dbgprintf("nsdsel_gtls: data already present in buffer, initiating "
++				  "dummy select %p->iBufferRcvReady=%d\n",
++				  pThis, pThis->iBufferRcvReady);
+ 			FINALIZE;
+ 		}
+ 		if(pNsdGTLS->rtryCall != gtlsRtry_None) {
+@@ -109,6 +112,7 @@ Select(nsdsel_t *pNsdsel, int *piNumReady)
+ 	if(pThis->iBufferRcvReady > 0) {
+ 		/* we still have data ready! */
+ 		*piNumReady = pThis->iBufferRcvReady;
++		dbgprintf("nsdsel_gtls: doing dummy select, data present\n");
+ 	} else {
+ 		iRet = nsdsel_ptcp.Select(pThis->pTcp, piNumReady);
+ 	}
+@@ -190,6 +194,9 @@ IsReady(nsdsel_t *pNsdsel, nsd_t *pNsd, nsdsel_waitOp_t waitOp, int *pbIsReady)
+ 	if(pNsdGTLS->iMode == 1) {
+ 		if(waitOp == NSDSEL_RD && gtlsHasRcvInBuffer(pNsdGTLS)) {
+ 			*pbIsReady = 1;
++			--pThis->iBufferRcvReady; /* one "pseudo-read" less */
++			dbgprintf("nsdl_gtls: dummy read, decermenting %p->iBufRcvReady, now %d\n",
++				   pThis, pThis->iBufferRcvReady);
+ 			FINALIZE;
+ 		}
+ 		if(pNsdGTLS->rtryCall != gtlsRtry_None) {
+@@ -200,6 +207,16 @@ IsReady(nsdsel_t *pNsdsel, nsd_t *pNsd, nsdsel_waitOp_t waitOp, int *pbIsReady)
+ 			*pbIsReady = 0;
+ 			FINALIZE;
+ 		}
++		/* now we must ensure that we do not fall back to PTCP if we have
++		 * done a "dummy" select. In that case, we know when the predicate
++		 * is not matched here, we do not have data available for this
++		 * socket. -- rgerhards, 2010-11-20
++		 */
++		if(pThis->iBufferRcvReady) {
++			dbgprintf("nsd_gtls: dummy read, buffer not available for this FD\n");
++			*pbIsReady = 0;
++			FINALIZE;
++		}
+ 	}
+ 
+ 	CHKiRet(nsdsel_ptcp.IsReady(pThis->pTcp, pNsdGTLS->pTcp, waitOp, pbIsReady));
diff --git a/debian/patches/series b/debian/patches/series
index 2113a56..3bdc4f1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 # Debian patches for rsyslog
 01-dont_create_db.patch
+02-tls_loop_fix.patch

Reply to:

Follow-Ups:
- Bug#605578: unblock: rsyslog/4.6.4-2
  - From: Mehdi Dogguy <mehdi@dogguy.org>
- Bug#605578: marked as done (unblock: rsyslog/4.6.4-2)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: NEW changes in
Next by Date: Freeze exception for phpmyadmin 4:3.3.7-2
Previous by thread: NEW changes in
Next by thread: Bug#605578: unblock: rsyslog/4.6.4-2
Index(es):
- Date
- Thread