Details: https://nvd.nist.gov/vuln/detail/CVE-2015-3243
The issue is about file permissions: by default rsyslog creates world-readable files. In case a log message contains some sensitive information, then that's exposed to every user on the system. However the rsyslog.conf file that is shipped with the recipe solves it: it already sets non-world-readable default permissions on all files, so this vulnerability is fixed in the default OE recipe. See also this package in OpenSuse[1], where it is solved the same way. [1]: https://build.opensuse.org/requests/619439/changes (rsyslog.conf.in) Signed-off-by: Gyorgy Sarvari <[email protected]> Signed-off-by: Khem Raj <[email protected]> (cherry picked from commit 38ea8a4617ad395b2addd24bd1f6b57a8242fa0b) Adapted to Kirkstone (CVE_STATUS -> CVE_CHECK_IGNORE) Signed-off-by: Gyorgy Sarvari <[email protected]> --- meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf | 1 + meta-oe/recipes-extended/rsyslog/rsyslog_8.2206.0.bb | 3 +++ 2 files changed, 4 insertions(+) diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf index dbfefb7597..388c4e70bb 100644 --- a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf +++ b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf @@ -13,6 +13,7 @@ $ModLoad imklog # kernel logging (formerly provided by rklogd) # # Set the default permissions +# Setting the $FileCreateMode not world readable fixes CVE-2015-3243 # $FileOwner root $FileGroup adm diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog_8.2206.0.bb b/meta-oe/recipes-extended/rsyslog/rsyslog_8.2206.0.bb index a39de3acb5..eaa77d726e 100644 --- a/meta-oe/recipes-extended/rsyslog/rsyslog_8.2206.0.bb +++ b/meta-oe/recipes-extended/rsyslog/rsyslog_8.2206.0.bb @@ -36,6 +36,9 @@ SRC_URI[sha256sum] = "a1377218b26c0767a7a3f67d166d5338af7c24b455d35ec99974e18e68 UPSTREAM_CHECK_URI = "https://github.com/rsyslog/rsyslog/releases"; UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)" +# The default rsyslog.conf file contains the fix +CVE_CHECK_IGNORE += "CVE-2015-3243" + inherit autotools pkgconfig systemd update-rc.d ptest EXTRA_OECONF += "--disable-generate-man-pages ap_cv_atomic_builtins=yes"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#121730): https://lists.openembedded.org/g/openembedded-devel/message/121730 Mute This Topic: https://lists.openembedded.org/mt/116306930/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
