zlog is a reliable, high-performance, thread safe, flexible, clear-model, pure C logging library.
Security Fix(es):
Heap based buffer flow in zlog v1.1.0 to v1.2.17 in zlogrulenew().The size of recordname is MAXLENPATH(1024) + 1 but filepath may have data upto MAXLENCFGLINE(MAXLENPATH*4) + 1. So a check was missing in zlogrulenew() while copying the recordname from filepath + 1 which caused the buffer overflow. An attacker can exploit this vulnerability to overwrite the zlogrecordfn record_func function pointer to get arbitrary code execution or potentially cause remote code execution (RCE).(CVE-2024-22857)
{
"severity": "Critical"
}{
"x86_64": [
"zlog-1.2.15-4.oe2003sp4.x86_64.rpm",
"zlog-debuginfo-1.2.15-4.oe2003sp4.x86_64.rpm",
"zlog-debugsource-1.2.15-4.oe2003sp4.x86_64.rpm"
],
"src": [
"zlog-1.2.15-4.oe2003sp4.src.rpm"
],
"aarch64": [
"zlog-1.2.15-4.oe2003sp4.aarch64.rpm",
"zlog-debuginfo-1.2.15-4.oe2003sp4.aarch64.rpm",
"zlog-debugsource-1.2.15-4.oe2003sp4.aarch64.rpm"
]
}