1 files changed, 41 insertions, 0 deletions

diff --git a/0003-syslog-Fix-integer-overflow-in-__vsyslog_internal-CV.patch b/0003-syslog-Fix-integer-overflow-in-__vsyslog_internal-CV.patch
new file mode 100644
index 0000000..70ee520
--- /dev/null
+++ b/0003-syslog-Fix-integer-overflow-in-__vsyslog_internal-CV.patch
@@ -0,0 +1,41 @@
+From d37c2b20a4787463d192b32041c3406c2bd91de0 Mon Sep 17 00:00:00 2001
+From: Arjun Shankar <arjun@redhat.com>
+Date: Mon, 15 Jan 2024 17:44:45 +0100
+Subject: [PATCH 3/3] syslog: Fix integer overflow in __vsyslog_internal
+ (CVE-2023-6780)
+
+__vsyslog_internal calculated a buffer size by adding two integers, but
+did not first check if the addition would overflow.  This commit fixes
+that.
+
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+Tested-by: Carlos O'Donell <carlos@redhat.com>
+(cherry picked from commit ddf542da94caf97ff43cc2875c88749880b7259b)
+---
+ misc/syslog.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/misc/syslog.c b/misc/syslog.c
+index 53440e47ad..4af87f54fd 100644
+--- a/misc/syslog.c
++++ b/misc/syslog.c
+@@ -41,6 +41,7 @@ static char sccsid[] = "@(#)syslog.c	8.4 (Berkeley) 3/18/94";
+ #include <sys/uio.h>
+ #include <sys/un.h>
+ #include <syslog.h>
++#include <limits.h>
+ 
+ static int LogType = SOCK_DGRAM;	/* type of socket connection */
+ static int LogFile = -1;		/* fd for log */
+@@ -219,7 +220,7 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap,
+     vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags);
+     va_end (apc);
+ 
+-    if (vl < 0)
++    if (vl < 0 || vl >= INT_MAX - l)
+       goto out;
+ 
+     if (vl >= len)
+-- 
+2.33.0
+