2 files changed, 293 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/syslog-ng/files/CVE-2024-47619.patch b/meta-oe/recipes-support/syslog-ng/files/CVE-2024-47619.patch
new file mode 100644
index 0000000000..725f471b3b
--- /dev/null
+++ b/meta-oe/recipes-support/syslog-ng/files/CVE-2024-47619.patch
@@ -0,0 +1,292 @@
+From 12a0624e4c275f14cee9a6b4f36e714d2ced8544 Mon Sep 17 00:00:00 2001
+From: therandomstring <bal.horv.98@gmail.com>
+Date: Wed, 07 May 2025 09:30:36 +0530
+Subject: [PATCH] Merge commit from fork
+Fix transport accepting incorrect wildcards
+CVE: CVE-2024-47619
+Upstream-Status: Backport [https://github.com/syslog-ng/syslog-ng/commit/12a0624e4c275f14cee9a6b4f36e714d2ced8544]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ lib/transport/tests/CMakeLists.txt            |   1 +
+ lib/transport/tests/Makefile.am               |   9 +-
+ lib/transport/tests/test_tls_wildcard_match.c | 104 ++++++++++++++++++
+ lib/transport/tls-verifier.c                  |  86 +++++++++++++--
+ lib/transport/tls-verifier.h                  |   2 +
+ 5 files changed, 190 insertions(+), 12 deletions(-)
+ create mode 100644 lib/transport/tests/test_tls_wildcard_match.c
+diff --git a/lib/transport/tests/CMakeLists.txt b/lib/transport/tests/CMakeLists.txt
+index 834f456..ce1d033 100644
+--- a/lib/transport/tests/CMakeLists.txt
+++ b/lib/transport/tests/CMakeLists.txt
+@@ -3,3 +3,4 @@ add_unit_test(CRITERION TARGET test_transport_factory_id)
+ add_unit_test(CRITERION TARGET test_transport_factory)
+ add_unit_test(CRITERION TARGET test_transport_factory_registry)
+ add_unit_test(CRITERION TARGET test_multitransport)
+add_unit_test(CRITERION TARGET test_tls_wildcard_match)
+diff --git a/lib/transport/tests/Makefile.am b/lib/transport/tests/Makefile.am
+index 7eac994..ae2426c 100644
+--- a/lib/transport/tests/Makefile.am
+++ b/lib/transport/tests/Makefile.am
+@@ -3,7 +3,8 @@ lib_transport_tests_TESTS                = \
+        lib/transport/tests/test_transport_factory_id \
+        lib/transport/tests/test_transport_factory \
+        lib/transport/tests/test_transport_factory_registry \
+-       lib/transport/tests/test_multitransport
+       lib/transport/tests/test_multitransport \
+       lib/transport/tests/test_tls_wildcard_match
+ EXTRA_DIST += lib/transport/tests/CMakeLists.txt
+@@ -38,3 +39,9 @@ lib_transport_tests_test_multitransport_CFLAGS  = $(TEST_CFLAGS) \
+ lib_transport_tests_test_multitransport_LDADD   = $(TEST_LDADD)
+ lib_transport_tests_test_multitransport_SOURCES =                      \
+        lib/transport/tests/test_multitransport.c
+
+lib_transport_tests_test_tls_wildcard_match_CFLAGS  = $(TEST_CFLAGS) \
+       -I${top_srcdir}/lib/transport/tests
+lib_transport_tests_test_tls_wildcard_match_LDADD       = $(TEST_LDADD)
+lib_transport_tests_test_tls_wildcard_match_SOURCES =                  \
+       lib/transport/tests/test_tls_wildcard_match.c
+diff --git a/lib/transport/tests/test_tls_wildcard_match.c b/lib/transport/tests/test_tls_wildcard_match.c
+new file mode 100644
+index 0000000..90cecb0
+--- /dev/null
+++ b/lib/transport/tests/test_tls_wildcard_match.c
+@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 2024 One Identity LLC.
+ * Copyright (c) 2024 Franco Fichtner
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * As an additional exemption you are allowed to compile & link against the
+ * OpenSSL libraries as published by the OpenSSL project. See the file
+ * COPYING for details.
+ *
+ */
+
+
+#include <criterion/criterion.h>
+
+#include "transport/tls-verifier.h"
+
+TestSuite(tls_wildcard, .init = NULL, .fini = NULL);
+
+Test(tls_wildcard, test_wildcard_match_pattern_acceptance)
+{
+  cr_assert_eq(tls_wildcard_match("test", "test"), TRUE);
+  cr_assert_eq(tls_wildcard_match("test", "*"), TRUE);
+  cr_assert_eq(tls_wildcard_match("test", "t*t"), TRUE);
+  cr_assert_eq(tls_wildcard_match("test", "t*"), TRUE);
+  cr_assert_eq(tls_wildcard_match("", ""), TRUE);
+  cr_assert_eq(tls_wildcard_match("test.one", "test.one"), TRUE);
+  cr_assert_eq(tls_wildcard_match("test.one.two", "test.one.two"), TRUE);
+  cr_assert_eq(tls_wildcard_match("192.0.2.0", "192.0.2.0"), TRUE);
+  cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0000:130F:0000:0000:09C0:876A:130B"),
+               TRUE);
+  cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0:130F:0:0:9C0:876A:130B"), TRUE);
+  cr_assert_eq(tls_wildcard_match("2001:0:130F:0:0:9C0:876A:130B", "2001:0000:130F:0000:0000:09C0:876A:130B"), TRUE);
+  cr_assert_eq(tls_wildcard_match("2001:0000:130F::09C0:876A:130B", "2001:0000:130F:0000:0000:09C0:876A:130B"), TRUE);
+  cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0000:130F::09C0:876A:130B"), TRUE);
+  cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0:130F::9C0:876A:130B"), TRUE);
+  cr_assert_eq(tls_wildcard_match("2001:0:130F::9C0:876A:130B", "2001:0000:130F:0000:0000:09C0:876A:130B"), TRUE);
+}
+
+Test(tls_wildcard, test_wildcard_match_wildcard_rejection)
+{
+  cr_assert_eq(tls_wildcard_match("test", "**"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test", "*es*"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test", "t*?"), FALSE);
+}
+
+Test(tls_wildcard, test_wildcard_match_pattern_rejection)
+{
+  cr_assert_eq(tls_wildcard_match("test", "tset"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test", "set"), FALSE);
+  cr_assert_eq(tls_wildcard_match("", "*"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test", ""), FALSE);
+  cr_assert_eq(tls_wildcard_match("test.two", "test.one"), FALSE);
+}
+
+Test(tls_wildcard, test_wildcard_match_format_rejection)
+{
+  cr_assert_eq(tls_wildcard_match("test.two", "test.*"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test.two", "test.t*o"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test", "test.two"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test.two", "test"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test.one.two", "test.one"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test.one", "test.one.two"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test.three", "three.test"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test.one.two", "test.one.*"), FALSE);
+}
+
+Test(tls_wildcard, test_wildcard_match_complex_rejection)
+{
+  cr_assert_eq(tls_wildcard_match("test.two", "test.???"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test.one.two", "test.one.?wo"), FALSE);
+}
+
+Test(tls_wildcard, test_ip_wildcard_rejection)
+{
+  cr_assert_eq(tls_wildcard_match("192.0.2.0", "*.0.2.0"), FALSE);
+  cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "*:0000:130F:0000:0000:09C0:876A:130B"),
+               FALSE);
+  cr_assert_eq(tls_wildcard_match("2001:0:130F::9C0:876A:130B", "*:0000:130F:0000:0000:09C0:876A:130B"), FALSE);
+}
+
+Test(tls_wildcard, test_case_insensivity)
+{
+  cr_assert_eq(tls_wildcard_match("test", "TEST"), TRUE);
+  cr_assert_eq(tls_wildcard_match("TEST", "test"), TRUE);
+  cr_assert_eq(tls_wildcard_match("TeST", "TEst"), TRUE);
+  cr_assert_eq(tls_wildcard_match("test.one", "test.ONE"), TRUE);
+  cr_assert_eq(tls_wildcard_match("test.TWO", "test.two"), TRUE);
+  cr_assert_eq(tls_wildcard_match("test.three", "*T.three"), TRUE);
+  cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0000:130f:0000:0000:09c0:876a:130b"),
+               TRUE);
+}
+diff --git a/lib/transport/tls-verifier.c b/lib/transport/tls-verifier.c
+index 606ad02..dde00d9 100644
+--- a/lib/transport/tls-verifier.c
+++ b/lib/transport/tls-verifier.c
+@@ -1,4 +1,6 @@
+ /*
+ * Copyright (c) 2024 One Identity LLC.
+ * Copyright (c) 2024 Franco Fichtner
+  * Copyright (c) 2002-2011 Balabit
+  * Copyright (c) 1998-2011 Balázs Scheidler
+  *
+@@ -75,7 +77,7 @@ tls_verifier_unref(TLSVerifier *self)
+ /* helper functions */
+-static gboolean
+gboolean
+ tls_wildcard_match(const gchar *host_name, const gchar *pattern)
+ {
+   gchar **pattern_parts, **hostname_parts;
+@@ -86,22 +88,84 @@ tls_wildcard_match(const gchar *host_name, const gchar *pattern)
+   pattern_parts = g_strsplit(pattern, ".", 0);
+   hostname_parts = g_strsplit(host_name, ".", 0);
+-  for (i = 0; pattern_parts[i]; i++)
+
+  if(g_strrstr(pattern, "\?"))
+    {
+      /* Glib would treat any question marks as jokers */
+      success = FALSE;
+    }
+  else if (g_hostname_is_ip_address(host_name))
+    {
+      /* no wildcards in IP */
+      if (g_strrstr(pattern, "*"))
+        {
+          success = FALSE;
+        }
+      else
+        {
+          struct in6_addr host_buffer, pattern_buffer;
+          gint INET_TYPE, INET_ADDRLEN;
+          if(strstr(host_name, ":"))
+            {
+              INET_TYPE = AF_INET6;
+              INET_ADDRLEN = INET6_ADDRSTRLEN;
+            }
+          else
+            {
+              INET_TYPE = AF_INET;
+              INET_ADDRLEN = INET_ADDRSTRLEN;
+            }
+          char host_ip[INET_ADDRLEN], pattern_ip[INET_ADDRLEN];
+          gint host_ip_ok = inet_pton(INET_TYPE, host_name, &host_buffer);
+          gint pattern_ip_ok = inet_pton(INET_TYPE, pattern, &pattern_buffer);
+          inet_ntop(INET_TYPE, &host_buffer, host_ip, INET_ADDRLEN);
+          inet_ntop(INET_TYPE, &pattern_buffer, pattern_ip, INET_ADDRLEN);
+          success = (host_ip_ok && pattern_ip_ok && strcmp(host_ip, pattern_ip) == 0);
+        }
+    }
+  else
+     {
+-      if (!hostname_parts[i])
+      if (pattern_parts[0] == NULL)
+         {
+-          /* number of dot separated entries is not the same in the hostname and the pattern spec */
+-          goto exit;
+          if (hostname_parts[0] == NULL)
+            success = TRUE;
+          else
+            success = FALSE;
+         }
+      else
+        {
+          success = TRUE;
+          for (i = 0; pattern_parts[i]; i++)
+            {
+              if (hostname_parts[i] == NULL)
+                {
+                  /* number of dot separated entries is not the same in the hostname and the pattern spec */
+                  success = FALSE;
+                  break;
+                }
+              char *wildcard_matched = g_strrstr(pattern_parts[i], "*");
+              if (wildcard_matched && (i != 0 || wildcard_matched != strstr(pattern_parts[i], "*")))
+                {
+                  /* wildcard only on leftmost part and never as multiple wildcards as per both RFC 6125 and 9525 */
+                  success = FALSE;
+                  break;
+                }
+-      lower_pattern = g_ascii_strdown(pattern_parts[i], -1);
+-      lower_hostname = g_ascii_strdown(hostname_parts[i], -1);
+              lower_pattern = g_ascii_strdown(pattern_parts[i], -1);
+              lower_hostname = g_ascii_strdown(hostname_parts[i], -1);
+-      if (!g_pattern_match_simple(lower_pattern, lower_hostname))
+-        goto exit;
+              if (!g_pattern_match_simple(lower_pattern, lower_hostname))
+                {
+                  success = FALSE;
+                  break;
+                }
+            }
+          if (hostname_parts[i])
+            /* hostname has more parts than the pattern */
+            success = FALSE;
+        }
+     }
+-  success = TRUE;
+-exit:
+
+   g_free(lower_pattern);
+   g_free(lower_hostname);
+   g_strfreev(pattern_parts);
+diff --git a/lib/transport/tls-verifier.h b/lib/transport/tls-verifier.h
+index 5642afa..98ab858 100644
+--- a/lib/transport/tls-verifier.h
+++ b/lib/transport/tls-verifier.h
+@@ -44,5 +44,7 @@ void tls_verifier_unref(TLSVerifier *self);
+ gboolean tls_verify_certificate_name(X509 *cert, const gchar *hostname);
+gboolean tls_wildcard_match(const gchar *host_name, const gchar *pattern);
+
+ #endif
+--
+2.40.0
diff --git a/meta-oe/recipes-support/syslog-ng/syslog-ng_4.6.0.bb b/meta-oe/recipes-support/syslog-ng/syslog-ng_4.6.0.bb
index 4584944150..e2ae40fd61 100644
--- a/meta-oe/recipes-support/syslog-ng/syslog-ng_4.6.0.bb
+++ b/meta-oe/recipes-support/syslog-ng/syslog-ng_4.6.0.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://github.com/balabit/syslog-ng/releases/download/${BP}/${BP}.ta
           file://syslog-ng.service-the-syslog-ng-service.patch \
           file://0001-Fix-buildpaths-warning.patch \
           file://0001-macros-guard-ipv6-code-with-SYSLOG_NG_ENABLE_IPV6.patch \
+           file://CVE-2024-47619.patch \
 "
 SRC_URI:append:powerpc64le = " file://0001-plugin.c-workaround-powerpc64le-segfaults-error.patch"

diff --git a/meta-oe/recipes-support/syslog-ng/files/CVE-2024-47619.patch b/meta-oe/recipes-support/syslog-ng/files/CVE-2024-47619.patch new file mode 100644 index 0000000000..725f471b3b --- /dev/null +++ b/meta-oe/recipes-support/syslog-ng/files/CVE-2024-47619.patch
@@ -0,0 +1,292 @@
		1	From 12a0624e4c275f14cee9a6b4f36e714d2ced8544 Mon Sep 17 00:00:00 2001
		2	From: therandomstring <bal.horv.98@gmail.com>
		3	Date: Wed, 07 May 2025 09:30:36 +0530
		4	Subject: [PATCH] Merge commit from fork
		5
		6	Fix transport accepting incorrect wildcards
		7
		8	CVE: CVE-2024-47619
		9	Upstream-Status: Backport [https://github.com/syslog-ng/syslog-ng/commit/12a0624e4c275f14cee9a6b4f36e714d2ced8544]
		10
		11	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		12	---
		13	lib/transport/tests/CMakeLists.txt \| 1 +
		14	lib/transport/tests/Makefile.am \| 9 +-
		15	lib/transport/tests/test_tls_wildcard_match.c \| 104 ++++++++++++++++++
		16	lib/transport/tls-verifier.c \| 86 +++++++++++++--
		17	lib/transport/tls-verifier.h \| 2 +
		18	5 files changed, 190 insertions(+), 12 deletions(-)
		19	create mode 100644 lib/transport/tests/test_tls_wildcard_match.c
		20
		21	diff --git a/lib/transport/tests/CMakeLists.txt b/lib/transport/tests/CMakeLists.txt
		22	index 834f456..ce1d033 100644
		23	--- a/lib/transport/tests/CMakeLists.txt
		24	+++ b/lib/transport/tests/CMakeLists.txt
		25	@@ -3,3 +3,4 @@ add_unit_test(CRITERION TARGET test_transport_factory_id)
		26	add_unit_test(CRITERION TARGET test_transport_factory)
		27	add_unit_test(CRITERION TARGET test_transport_factory_registry)
		28	add_unit_test(CRITERION TARGET test_multitransport)
		29	+add_unit_test(CRITERION TARGET test_tls_wildcard_match)
		30	diff --git a/lib/transport/tests/Makefile.am b/lib/transport/tests/Makefile.am
		31	index 7eac994..ae2426c 100644
		32	--- a/lib/transport/tests/Makefile.am
		33	+++ b/lib/transport/tests/Makefile.am
		34	@@ -3,7 +3,8 @@ lib_transport_tests_TESTS = \
		35	lib/transport/tests/test_transport_factory_id \
		36	lib/transport/tests/test_transport_factory \
		37	lib/transport/tests/test_transport_factory_registry \
		38	- lib/transport/tests/test_multitransport
		39	+ lib/transport/tests/test_multitransport \
		40	+ lib/transport/tests/test_tls_wildcard_match
		41
		42	EXTRA_DIST += lib/transport/tests/CMakeLists.txt
		43
		44	@@ -38,3 +39,9 @@ lib_transport_tests_test_multitransport_CFLAGS = $(TEST_CFLAGS) \
		45	lib_transport_tests_test_multitransport_LDADD = $(TEST_LDADD)
		46	lib_transport_tests_test_multitransport_SOURCES = \
		47	lib/transport/tests/test_multitransport.c
		48	+
		49	+lib_transport_tests_test_tls_wildcard_match_CFLAGS = $(TEST_CFLAGS) \
		50	+ -I${top_srcdir}/lib/transport/tests
		51	+lib_transport_tests_test_tls_wildcard_match_LDADD = $(TEST_LDADD)
		52	+lib_transport_tests_test_tls_wildcard_match_SOURCES = \
		53	+ lib/transport/tests/test_tls_wildcard_match.c
		54	diff --git a/lib/transport/tests/test_tls_wildcard_match.c b/lib/transport/tests/test_tls_wildcard_match.c
		55	new file mode 100644
		56	index 0000000..90cecb0
		57	--- /dev/null
		58	+++ b/lib/transport/tests/test_tls_wildcard_match.c
		59	@@ -0,0 +1,104 @@
		60	+/*
		61	+ * Copyright (c) 2024 One Identity LLC.
		62	+ * Copyright (c) 2024 Franco Fichtner
		63	+ *
		64	+ * This library is free software; you can redistribute it and/or
		65	+ * modify it under the terms of the GNU Lesser General Public
		66	+ * License as published by the Free Software Foundation; either
		67	+ * version 2.1 of the License, or (at your option) any later version.
		68	+ *
		69	+ * This library is distributed in the hope that it will be useful,
		70	+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
		71	+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
		72	+ * Lesser General Public License for more details.
		73	+ *
		74	+ * You should have received a copy of the GNU Lesser General Public
		75	+ * License along with this library; if not, write to the Free Software
		76	+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
		77	+ *
		78	+ * As an additional exemption you are allowed to compile & link against the
		79	+ * OpenSSL libraries as published by the OpenSSL project. See the file
		80	+ * COPYING for details.
		81	+ *
		82	+ */
		83	+
		84	+
		85	+#include <criterion/criterion.h>
		86	+
		87	+#include "transport/tls-verifier.h"
		88	+
		89	+TestSuite(tls_wildcard, .init = NULL, .fini = NULL);
		90	+
		91	+Test(tls_wildcard, test_wildcard_match_pattern_acceptance)
		92	+{
		93	+ cr_assert_eq(tls_wildcard_match("test", "test"), TRUE);
		94	+ cr_assert_eq(tls_wildcard_match("test", "*"), TRUE);
		95	+ cr_assert_eq(tls_wildcard_match("test", "t*t"), TRUE);
		96	+ cr_assert_eq(tls_wildcard_match("test", "t*"), TRUE);
		97	+ cr_assert_eq(tls_wildcard_match("", ""), TRUE);
		98	+ cr_assert_eq(tls_wildcard_match("test.one", "test.one"), TRUE);
		99	+ cr_assert_eq(tls_wildcard_match("test.one.two", "test.one.two"), TRUE);
		100	+ cr_assert_eq(tls_wildcard_match("192.0.2.0", "192.0.2.0"), TRUE);
		101	+ cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0000:130F:0000:0000:09C0:876A:130B"),
		102	+ TRUE);
		103	+ cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0:130F:0:0:9C0:876A:130B"), TRUE);
		104	+ cr_assert_eq(tls_wildcard_match("2001:0:130F:0:0:9C0:876A:130B", "2001:0000:130F:0000:0000:09C0:876A:130B"), TRUE);
		105	+ cr_assert_eq(tls_wildcard_match("2001:0000:130F::09C0:876A:130B", "2001:0000:130F:0000:0000:09C0:876A:130B"), TRUE);
		106	+ cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0000:130F::09C0:876A:130B"), TRUE);
		107	+ cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0:130F::9C0:876A:130B"), TRUE);
		108	+ cr_assert_eq(tls_wildcard_match("2001:0:130F::9C0:876A:130B", "2001:0000:130F:0000:0000:09C0:876A:130B"), TRUE);
		109	+}
		110	+
		111	+Test(tls_wildcard, test_wildcard_match_wildcard_rejection)
		112	+{
		113	+ cr_assert_eq(tls_wildcard_match("test", "**"), FALSE);
		114	+ cr_assert_eq(tls_wildcard_match("test", "es"), FALSE);
		115	+ cr_assert_eq(tls_wildcard_match("test", "t*?"), FALSE);
		116	+}
		117	+
		118	+Test(tls_wildcard, test_wildcard_match_pattern_rejection)
		119	+{
		120	+ cr_assert_eq(tls_wildcard_match("test", "tset"), FALSE);
		121	+ cr_assert_eq(tls_wildcard_match("test", "set"), FALSE);
		122	+ cr_assert_eq(tls_wildcard_match("", "*"), FALSE);
		123	+ cr_assert_eq(tls_wildcard_match("test", ""), FALSE);
		124	+ cr_assert_eq(tls_wildcard_match("test.two", "test.one"), FALSE);
		125	+}
		126	+
		127	+Test(tls_wildcard, test_wildcard_match_format_rejection)
		128	+{
		129	+ cr_assert_eq(tls_wildcard_match("test.two", "test.*"), FALSE);
		130	+ cr_assert_eq(tls_wildcard_match("test.two", "test.t*o"), FALSE);
		131	+ cr_assert_eq(tls_wildcard_match("test", "test.two"), FALSE);
		132	+ cr_assert_eq(tls_wildcard_match("test.two", "test"), FALSE);
		133	+ cr_assert_eq(tls_wildcard_match("test.one.two", "test.one"), FALSE);
		134	+ cr_assert_eq(tls_wildcard_match("test.one", "test.one.two"), FALSE);
		135	+ cr_assert_eq(tls_wildcard_match("test.three", "three.test"), FALSE);
		136	+ cr_assert_eq(tls_wildcard_match("test.one.two", "test.one.*"), FALSE);
		137	+}
		138	+
		139	+Test(tls_wildcard, test_wildcard_match_complex_rejection)
		140	+{
		141	+ cr_assert_eq(tls_wildcard_match("test.two", "test.???"), FALSE);
		142	+ cr_assert_eq(tls_wildcard_match("test.one.two", "test.one.?wo"), FALSE);
		143	+}
		144	+
		145	+Test(tls_wildcard, test_ip_wildcard_rejection)
		146	+{
		147	+ cr_assert_eq(tls_wildcard_match("192.0.2.0", "*.0.2.0"), FALSE);
		148	+ cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "*:0000:130F:0000:0000:09C0:876A:130B"),
		149	+ FALSE);
		150	+ cr_assert_eq(tls_wildcard_match("2001:0:130F::9C0:876A:130B", "*:0000:130F:0000:0000:09C0:876A:130B"), FALSE);
		151	+}
		152	+
		153	+Test(tls_wildcard, test_case_insensivity)
		154	+{
		155	+ cr_assert_eq(tls_wildcard_match("test", "TEST"), TRUE);
		156	+ cr_assert_eq(tls_wildcard_match("TEST", "test"), TRUE);
		157	+ cr_assert_eq(tls_wildcard_match("TeST", "TEst"), TRUE);
		158	+ cr_assert_eq(tls_wildcard_match("test.one", "test.ONE"), TRUE);
		159	+ cr_assert_eq(tls_wildcard_match("test.TWO", "test.two"), TRUE);
		160	+ cr_assert_eq(tls_wildcard_match("test.three", "*T.three"), TRUE);
		161	+ cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0000:130f:0000:0000:09c0:876a:130b"),
		162	+ TRUE);
		163	+}
		164	diff --git a/lib/transport/tls-verifier.c b/lib/transport/tls-verifier.c
		165	index 606ad02..dde00d9 100644
		166	--- a/lib/transport/tls-verifier.c
		167	+++ b/lib/transport/tls-verifier.c
		168	@@ -1,4 +1,6 @@
		169	/*
		170	+ * Copyright (c) 2024 One Identity LLC.
		171	+ * Copyright (c) 2024 Franco Fichtner
		172	* Copyright (c) 2002-2011 Balabit
		173	* Copyright (c) 1998-2011 Balázs Scheidler
		174	*
		175	@@ -75,7 +77,7 @@ tls_verifier_unref(TLSVerifier *self)
		176
		177	/* helper functions */
		178
		179	-static gboolean
		180	+gboolean
		181	tls_wildcard_match(const gchar host_name, const gchar pattern)
		182	{
		183	gchar pattern_parts, hostname_parts;
		184	@@ -86,22 +88,84 @@ tls_wildcard_match(const gchar host_name, const gchar pattern)
		185
		186	pattern_parts = g_strsplit(pattern, ".", 0);
		187	hostname_parts = g_strsplit(host_name, ".", 0);
		188	- for (i = 0; pattern_parts[i]; i++)
		189	+
		190	+ if(g_strrstr(pattern, "\?"))
		191	+ {
		192	+ /* Glib would treat any question marks as jokers */
		193	+ success = FALSE;
		194	+ }
		195	+ else if (g_hostname_is_ip_address(host_name))
		196	+ {
		197	+ /* no wildcards in IP */
		198	+ if (g_strrstr(pattern, "*"))
		199	+ {
		200	+ success = FALSE;
		201	+ }
		202	+ else
		203	+ {
		204	+ struct in6_addr host_buffer, pattern_buffer;
		205	+ gint INET_TYPE, INET_ADDRLEN;
		206	+ if(strstr(host_name, ":"))
		207	+ {
		208	+ INET_TYPE = AF_INET6;
		209	+ INET_ADDRLEN = INET6_ADDRSTRLEN;
		210	+ }
		211	+ else
		212	+ {
		213	+ INET_TYPE = AF_INET;
		214	+ INET_ADDRLEN = INET_ADDRSTRLEN;
		215	+ }
		216	+ char host_ip[INET_ADDRLEN], pattern_ip[INET_ADDRLEN];
		217	+ gint host_ip_ok = inet_pton(INET_TYPE, host_name, &host_buffer);
		218	+ gint pattern_ip_ok = inet_pton(INET_TYPE, pattern, &pattern_buffer);
		219	+ inet_ntop(INET_TYPE, &host_buffer, host_ip, INET_ADDRLEN);
		220	+ inet_ntop(INET_TYPE, &pattern_buffer, pattern_ip, INET_ADDRLEN);
		221	+ success = (host_ip_ok && pattern_ip_ok && strcmp(host_ip, pattern_ip) == 0);
		222	+ }
		223	+ }
		224	+ else
		225	{
		226	- if (!hostname_parts[i])
		227	+ if (pattern_parts[0] == NULL)
		228	{
		229	- /* number of dot separated entries is not the same in the hostname and the pattern spec */
		230	- goto exit;
		231	+ if (hostname_parts[0] == NULL)
		232	+ success = TRUE;
		233	+ else
		234	+ success = FALSE;
		235	}
		236	+ else
		237	+ {
		238	+ success = TRUE;
		239	+ for (i = 0; pattern_parts[i]; i++)
		240	+ {
		241	+ if (hostname_parts[i] == NULL)
		242	+ {
		243	+ /* number of dot separated entries is not the same in the hostname and the pattern spec */
		244	+ success = FALSE;
		245	+ break;
		246	+ }
		247	+ char wildcard_matched = g_strrstr(pattern_parts[i], "");
		248	+ if (wildcard_matched && (i != 0 \|\| wildcard_matched != strstr(pattern_parts[i], "*")))
		249	+ {
		250	+ /* wildcard only on leftmost part and never as multiple wildcards as per both RFC 6125 and 9525 */
		251	+ success = FALSE;
		252	+ break;
		253	+ }
		254
		255	- lower_pattern = g_ascii_strdown(pattern_parts[i], -1);
		256	- lower_hostname = g_ascii_strdown(hostname_parts[i], -1);
		257	+ lower_pattern = g_ascii_strdown(pattern_parts[i], -1);
		258	+ lower_hostname = g_ascii_strdown(hostname_parts[i], -1);
		259
		260	- if (!g_pattern_match_simple(lower_pattern, lower_hostname))
		261	- goto exit;
		262	+ if (!g_pattern_match_simple(lower_pattern, lower_hostname))
		263	+ {
		264	+ success = FALSE;
		265	+ break;
		266	+ }
		267	+ }
		268	+ if (hostname_parts[i])
		269	+ /* hostname has more parts than the pattern */
		270	+ success = FALSE;
		271	+ }
		272	}
		273	- success = TRUE;
		274	-exit:
		275	+
		276	g_free(lower_pattern);
		277	g_free(lower_hostname);
		278	g_strfreev(pattern_parts);
		279	diff --git a/lib/transport/tls-verifier.h b/lib/transport/tls-verifier.h
		280	index 5642afa..98ab858 100644
		281	--- a/lib/transport/tls-verifier.h
		282	+++ b/lib/transport/tls-verifier.h
		283	@@ -44,5 +44,7 @@ void tls_verifier_unref(TLSVerifier *self);
		284
		285	gboolean tls_verify_certificate_name(X509 cert, const gchar hostname);
		286
		287	+gboolean tls_wildcard_match(const gchar host_name, const gchar pattern);
		288	+
		289
		290	#endif
		291	--
		292	2.40.0


diff --git a/meta-oe/recipes-support/syslog-ng/syslog-ng_4.6.0.bb b/meta-oe/recipes-support/syslog-ng/syslog-ng_4.6.0.bb index 4584944150..e2ae40fd61 100644 --- a/meta-oe/recipes-support/syslog-ng/syslog-ng_4.6.0.bb +++ b/meta-oe/recipes-support/syslog-ng/syslog-ng_4.6.0.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://github.com/balabit/syslog-ng/releases/download/${BP}/${BP}.ta
24	file://syslog-ng.service-the-syslog-ng-service.patch \	24	file://syslog-ng.service-the-syslog-ng-service.patch \
25	file://0001-Fix-buildpaths-warning.patch \	25	file://0001-Fix-buildpaths-warning.patch \
26	file://0001-macros-guard-ipv6-code-with-SYSLOG_NG_ENABLE_IPV6.patch \	26	file://0001-macros-guard-ipv6-code-with-SYSLOG_NG_ENABLE_IPV6.patch \
		27	file://CVE-2024-47619.patch \
27	"	28	"
28	SRC_URI:append:powerpc64le = " file://0001-plugin.c-workaround-powerpc64le-segfaults-error.patch"	29	SRC_URI:append:powerpc64le = " file://0001-plugin.c-workaround-powerpc64le-segfaults-error.patch"
29		30