diff mbox series

[meta-oe,kirkstone,1/6] rsyslog: set status for CVE-2015-3243

Message ID 20251115131059.1146238-1-skandigraun@gmail.com
State New
Headers show
Series [meta-oe,kirkstone,1/6] rsyslog: set status for CVE-2015-3243 | expand

Commit Message

Gyorgy Sarvari Nov. 15, 2025, 1:10 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2015-3243

The issue is about file permissions: by default rsyslog creates world-readable
files. In case a log message contains some sensitive information, then that's
exposed to every user on the system.

However the rsyslog.conf file that is shipped with the recipe solves it: it
already sets non-world-readable default permissions on all files, so this
vulnerability is fixed in the default OE recipe.

See also this package in OpenSuse[1], where it is solved the same way.

[1]: https://build.opensuse.org/requests/619439/changes (rsyslog.conf.in)

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 38ea8a4617ad395b2addd24bd1f6b57a8242fa0b)

Adapted to Kirkstone (CVE_STATUS -> CVE_CHECK_IGNORE)

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf | 1 +
 meta-oe/recipes-extended/rsyslog/rsyslog_8.2206.0.bb  | 3 +++
 2 files changed, 4 insertions(+)
diff mbox series

Patch

diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf
index dbfefb7597..388c4e70bb 100644
--- a/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf
+++ b/meta-oe/recipes-extended/rsyslog/rsyslog/rsyslog.conf
@@ -13,6 +13,7 @@  $ModLoad imklog   # kernel logging (formerly provided by rklogd)
 
 #
 # Set the default permissions
+# Setting the $FileCreateMode not world readable fixes CVE-2015-3243
 #
 $FileOwner root
 $FileGroup adm
diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog_8.2206.0.bb b/meta-oe/recipes-extended/rsyslog/rsyslog_8.2206.0.bb
index a39de3acb5..eaa77d726e 100644
--- a/meta-oe/recipes-extended/rsyslog/rsyslog_8.2206.0.bb
+++ b/meta-oe/recipes-extended/rsyslog/rsyslog_8.2206.0.bb
@@ -36,6 +36,9 @@  SRC_URI[sha256sum] = "a1377218b26c0767a7a3f67d166d5338af7c24b455d35ec99974e18e68
 UPSTREAM_CHECK_URI = "https://github.com/rsyslog/rsyslog/releases"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)"
 
+# The default rsyslog.conf file contains the fix
+CVE_CHECK_IGNORE += "CVE-2015-3243"
+
 inherit autotools pkgconfig systemd update-rc.d ptest
 
 EXTRA_OECONF += "--disable-generate-man-pages ap_cv_atomic_builtins=yes"