| Message ID | 20251115130000.1121405-4-skandigraun@gmail.com |
|---|---|
| State | Accepted |
| Delegated to: | Anuj Mittal |
| Headers | show |
| Series | [meta-oe,scarthgap,1/4] audiofile: patch CVE-2019-13147 and CVE-2022-24599 | expand |
On Sat, Nov 15, 2025 at 9:00 PM Gyorgy Sarvari via lists.openembedded.org <skandigraun=gmail.com@lists.openembedded.org> wrote: > Details: https://nvd.nist.gov/vuln/detail/CVE-2015-3243 > > The issue is about file permissions: by default rsyslog creates > world-readable > files. In case a log message contains some sensitive information, then > that's > exposed to every user on the system. > > However the rsyslog.conf file that is shipped with the recipe solves it: it > already sets non-world-readable default permissions on all files, so this > vulnerability is fixed in the default OE recipe. > > See also this package in OpenSuse[1], where it is solved the same way. > > [1]: https://build.opensuse.org/requests/619439/changes (rsyslog.conf.in) > > Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> > --- > meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf | 3 ++- > meta-oe/recipes-extended/rsyslog/rsyslog_8.2402.0.bb | 2 ++ > 2 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf > b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf > index dbfefb7597..6316efb629 100644 > --- a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf > +++ b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf > @@ -13,7 +13,8 @@ $ModLoad imklog # kernel logging (formerly provided by > rklogd) > > # > # Set the default permissions > -# > +# Setting the $FileCreateMode not world readable fixes CVE-2015-3243 > +# > $FileOwner root > $FileGroup adm > $FileCreateMode 0640 > diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog_8.2402.0.bb > b/meta-oe/recipes-extended/rsyslog/rsyslog_8.2402.0.bb > index af46cc14d7..59944cd70c 100644 > --- a/meta-oe/recipes-extended/rsyslog/rsyslog_8.2402.0.bb > +++ b/meta-oe/recipes-extended/rsyslog/rsyslog_8.2402.0.bb > @@ -37,6 +37,8 @@ SRC_URI[sha256sum] = > "acbdd8579489df36b4a383dc6909a61b7623807f0aff54c062115f2de7 > UPSTREAM_CHECK_URI = "https://github.com/rsyslog/rsyslog/releases" > UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)" > > +CVE_STATUS[CVE-2015-3243] = "fix-file-included: The shipped default > rsyslog.conf contains the fix" > + > > fix-file-included isn't available in scarthgap so we will have to use something else.
On 11/17/25 06:50, Anuj Mittal wrote: > > > > On Sat, Nov 15, 2025 at 9:00 PM Gyorgy Sarvari via > lists.openembedded.org <http://lists.openembedded.org> > <skandigraun=gmail.com@lists.openembedded.org> wrote: > > Details: https://nvd.nist.gov/vuln/detail/CVE-2015-3243 > > The issue is about file permissions: by default rsyslog creates > world-readable > files. In case a log message contains some sensitive information, > then that's > exposed to every user on the system. > > However the rsyslog.conf file that is shipped with the recipe > solves it: it > already sets non-world-readable default permissions on all files, > so this > vulnerability is fixed in the default OE recipe. > > See also this package in OpenSuse[1], where it is solved the same way. > > [1]: https://build.opensuse.org/requests/619439/changes > (rsyslog.conf.in <http://rsyslog.conf.in>) > > Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> > --- > meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf | 3 ++- > meta-oe/recipes-extended/rsyslog/rsyslog_8.2402.0.bb > <http://rsyslog_8.2402.0.bb> | 2 ++ > 2 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf > b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf > index dbfefb7597..6316efb629 100644 > --- a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf > +++ b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf > @@ -13,7 +13,8 @@ $ModLoad imklog # kernel logging (formerly > provided by rklogd) > > # > # Set the default permissions > -# > +# Setting the $FileCreateMode not world readable fixes CVE-2015-3243 > +# > $FileOwner root > $FileGroup adm > $FileCreateMode 0640 > diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog_8.2402.0.bb > <http://rsyslog_8.2402.0.bb> > b/meta-oe/recipes-extended/rsyslog/rsyslog_8.2402.0.bb > <http://rsyslog_8.2402.0.bb> > index af46cc14d7..59944cd70c 100644 > --- a/meta-oe/recipes-extended/rsyslog/rsyslog_8.2402.0.bb > <http://rsyslog_8.2402.0.bb> > +++ b/meta-oe/recipes-extended/rsyslog/rsyslog_8.2402.0.bb > <http://rsyslog_8.2402.0.bb> > @@ -37,6 +37,8 @@ SRC_URI[sha256sum] = > "acbdd8579489df36b4a383dc6909a61b7623807f0aff54c062115f2de7 > UPSTREAM_CHECK_URI = "https://github.com/rsyslog/rsyslog/releases" > UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)" > > +CVE_STATUS[CVE-2015-3243] = "fix-file-included: The shipped > default rsyslog.conf contains the fix" > + > > > fix-file-included isn't available in scarthgap so we will have to use > something else. Right, it seems there isn't any that would really fit... will pick a "Patched" status in a few moments.
diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf index dbfefb7597..6316efb629 100644 --- a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf +++ b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf @@ -13,7 +13,8 @@ $ModLoad imklog # kernel logging (formerly provided by rklogd) # # Set the default permissions -# +# Setting the $FileCreateMode not world readable fixes CVE-2015-3243 +# $FileOwner root $FileGroup adm $FileCreateMode 0640 diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog_8.2402.0.bb b/meta-oe/recipes-extended/rsyslog/rsyslog_8.2402.0.bb index af46cc14d7..59944cd70c 100644 --- a/meta-oe/recipes-extended/rsyslog/rsyslog_8.2402.0.bb +++ b/meta-oe/recipes-extended/rsyslog/rsyslog_8.2402.0.bb @@ -37,6 +37,8 @@ SRC_URI[sha256sum] = "acbdd8579489df36b4a383dc6909a61b7623807f0aff54c062115f2de7 UPSTREAM_CHECK_URI = "https://github.com/rsyslog/rsyslog/releases" UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)" +CVE_STATUS[CVE-2015-3243] = "fix-file-included: The shipped default rsyslog.conf contains the fix" + inherit autotools pkgconfig systemd update-rc.d ptest EXTRA_OECONF += "--disable-generate-man-pages ap_cv_atomic_builtins=yes"
Details: https://nvd.nist.gov/vuln/detail/CVE-2015-3243 The issue is about file permissions: by default rsyslog creates world-readable files. In case a log message contains some sensitive information, then that's exposed to every user on the system. However the rsyslog.conf file that is shipped with the recipe solves it: it already sets non-world-readable default permissions on all files, so this vulnerability is fixed in the default OE recipe. See also this package in OpenSuse[1], where it is solved the same way. [1]: https://build.opensuse.org/requests/619439/changes (rsyslog.conf.in) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf | 3 ++- meta-oe/recipes-extended/rsyslog/rsyslog_8.2402.0.bb | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-)