Fix CVE-2024-22857

CVE-2024-22857.patch

@@ -0,0 +1,28 @@
+From 335d65fc5a9d73580c6663fcb754ddce4e159a61 Mon Sep 17 00:00:00 2001
+From: alirazamumtaz Malwarer Researcher at Ebryx (Pvt.) Ltd
+Date: Thu, 25 Apr 2024 13:49:04 +0800
+Subject: [PATCH] CVE-2024-22857
+
+---
+ src/rule.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/rule.c b/src/rule.c
+index 473d21f..02a9c08 100644
+--- a/src/rule.c
++++ b/src/rule.c
+@@ -890,8 +890,10 @@ zlog_rule_t *zlog_rule_new(char *line,
+ 		}
+ 		break;
+ 	case '$' :
+-		sscanf(file_path + 1, "%s", a_rule->record_name);
+-			
++        // read only MAXLEN_PATH characters from the file_path + 1
++		strncpy(a_rule->record_name, file_path + 1, MAXLEN_PATH);
++		a_rule->record_name[MAXLEN_PATH] = '\0';		
++	
+ 		if (file_limit) {  /* record path exists */
+ 			p = strchr(file_limit, '"');
+ 			if (!p) {
+-- 
+2.27.0

zlog.spec

@@ -1,12 +1,13 @@
 Name:           zlog
 Version:        1.2.15
-Release:        3%{?dist}
+Release:        4
 Summary:        A reliable pure C logging library
 
 License:        LGPLv2.1
 URL:            http://hardysimpson.github.io/zlog/
 Source0:        %{name}-%{version}.tar.gz
 Patch1000:      0001-Fix-stack-buffer-overflow-at-zlog_conf_build_with_fi.patch
+Patch1001:      CVE-2024-22857.patch
 
 BuildRequires:  gcc-c++
 #Requires:       
@@ -47,6 +48,9 @@ ln -sf libzlog.so.1.2 '%{buildroot}/%{_libdir}/libzlog.so'
 
 
 %changelog
+* Wed Apr 24 2024 lvfei <lvfei@kylinos.cn> - 1.2.15-4
+- Fix CVE-2024-22857
+
 * Mon Apr 25 2022 yefeng <yefeng@kylinos.com.cn> - 1.2.15-3
 - fix the CVE-2021-43521