syslog-ng: fix CVE-2024-47619

syslog-ng is an enhanced log daemo. Prior to version 4.8.2, `tls_wildcard_match()` matches on certificates such as `foo.*.bar` although that is not allowed. It is also possible to pass partial wildcards such as `foo.a*c.bar` which glib matches but should be avoided / invalidated. This issue could have an impact on TLS connections, such as in man-in-the-middle situations. Version 4.8.2 contains a fix for the issue. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-47619 Upstream patch: https://github.com/syslog-ng/syslog-ng/commit/12a0624e4c275f14cee9a6b4f36e714d2ced8544 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Yogita Urade <yogita.urade@windriver.com> 2025-05-28 16:24:17 +0530
committer: Armin Kuster <akuster808@gmail.com> 2025-07-02 20:30:36 -0400
commit: a051b4ae0595c0905ae6a504bbd8511d18a9aaec (patch)
tree: 3cd8307e11ab3efb80ab9fffcbb668e38e292409
parent: 719a23e6f6eb2803ae8adc53bfe217b230c4361d (diff)
download: meta-openembedded-a051b4ae0595c0905ae6a504bbd8511d18a9aaec.tar.gz
2 files changed, 287 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/syslog-ng/files/CVE-2024-47619.patch b/meta-oe/recipes-support/syslog-ng/files/CVE-2024-47619.patch
new file mode 100644
index 0000000000..e316f4a784
--- /dev/null
+++ b/meta-oe/recipes-support/syslog-ng/files/CVE-2024-47619.patch
@@ -0,0 +1,286 @@
+From 12a0624e4c275f14cee9a6b4f36e714d2ced8544 Mon Sep 17 00:00:00 2001
+From: therandomstring <bal.horv.98@gmail.com>
+Date: Wed, 07 May 2025 08:51:01 +0000
+Subject: [PATCH] Merge commit from fork
+Fix transport accepting incorrect wildcards
+CVE: CVE-2024-47619
+Upstream-Status: Backport [https://github.com/syslog-ng/syslog-ng/commit/12a0624e4c275f14cee9a6b4f36e714d2ced8544]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ lib/tlscontext.c                              |  84 ++++++++++++--
+ lib/tlscontext.h                              |   2 +
+ lib/transport/tests/CMakeLists.txt            |   1 +
+ lib/transport/tests/Makefile.am               |   9 +-
+ lib/transport/tests/test_tls_wildcard_match.c | 104 ++++++++++++++++++
+ 5 files changed, 188 insertions(+), 12 deletions(-)
+ create mode 100644 lib/transport/tests/test_tls_wildcard_match.c
+diff --git a/lib/tlscontext.c b/lib/tlscontext.c
+index a89d0e0..203a1a3 100644
+--- a/lib/tlscontext.c
+++ b/lib/tlscontext.c
+@@ -1200,7 +1200,7 @@ tls_log_certificate_validation_progress(int ok, X509_STORE_CTX *ctx)
+   g_string_free(issuer_name, TRUE);
+ }
+-static gboolean
+gboolean
+ tls_wildcard_match(const gchar *host_name, const gchar *pattern)
+ {
+   gchar **pattern_parts, **hostname_parts;
+@@ -1211,22 +1211,84 @@ tls_wildcard_match(const gchar *host_name, const gchar *pattern)
+   pattern_parts = g_strsplit(pattern, ".", 0);
+   hostname_parts = g_strsplit(host_name, ".", 0);
+-  for (i = 0; pattern_parts[i]; i++)
+
+  if(g_strrstr(pattern, "\?"))
+    {
+      /* Glib would treat any question marks as jokers */
+      success = FALSE;
+    }
+  else if (g_hostname_is_ip_address(host_name))
+     {
+-      if (!hostname_parts[i])
+      /* no wildcards in IP */
+      if (g_strrstr(pattern, "*"))
+         {
+-          /* number of dot separated entries is not the same in the hostname and the pattern spec */
+-          goto exit;
+          success = FALSE;
+         }
+      else
+        {
+          struct in6_addr host_buffer, pattern_buffer;
+          gint INET_TYPE, INET_ADDRLEN;
+          if(strstr(host_name, ":"))
+            {
+              INET_TYPE = AF_INET6;
+              INET_ADDRLEN = INET6_ADDRSTRLEN;
+            }
+          else
+            {
+              INET_TYPE = AF_INET;
+              INET_ADDRLEN = INET_ADDRSTRLEN;
+            }
+          char host_ip[INET_ADDRLEN], pattern_ip[INET_ADDRLEN];
+          gint host_ip_ok = inet_pton(INET_TYPE, host_name, &host_buffer);
+          gint pattern_ip_ok = inet_pton(INET_TYPE, pattern, &pattern_buffer);
+          inet_ntop(INET_TYPE, &host_buffer, host_ip, INET_ADDRLEN);
+          inet_ntop(INET_TYPE, &pattern_buffer, pattern_ip, INET_ADDRLEN);
+          success = (host_ip_ok && pattern_ip_ok && strcmp(host_ip, pattern_ip) == 0);
+        }
+    }
+  else
+    {
+      if (pattern_parts[0] == NULL)
+        {
+          if (hostname_parts[0] == NULL)
+            success = TRUE;
+          else
+            success = FALSE;
+        }
+      else
+        {
+          success = TRUE;
+          for (i = 0; pattern_parts[i]; i++)
+            {
+              if (hostname_parts[i] == NULL)
+                {
+                  /* number of dot separated entries is not the same in the hostname and the pattern spec */
+                  success = FALSE;
+                  break;
+                }
+              char *wildcard_matched = g_strrstr(pattern_parts[i], "*");
+              if (wildcard_matched && (i != 0 || wildcard_matched != strstr(pattern_parts[i], "*")))
+                {
+                  /* wildcard only on leftmost part and never as multiple wildcards as per both RFC 6125 and 9525 */
+                  success = FALSE;
+                  break;
+                }
+-      lower_pattern = g_ascii_strdown(pattern_parts[i], -1);
+-      lower_hostname = g_ascii_strdown(hostname_parts[i], -1);
+              lower_pattern = g_ascii_strdown(pattern_parts[i], -1);
+              lower_hostname = g_ascii_strdown(hostname_parts[i], -1);
+-      if (!g_pattern_match_simple(lower_pattern, lower_hostname))
+-        goto exit;
+              if (!g_pattern_match_simple(lower_pattern, lower_hostname))
+                {
+                  success = FALSE;
+                  break;
+                }
+            }
+          if (hostname_parts[i])
+            /* hostname has more parts than the pattern */
+            success = FALSE;
+        }
+     }
+-  success = TRUE;
+-exit:
+
+   g_free(lower_pattern);
+   g_free(lower_hostname);
+   g_strfreev(pattern_parts);
+diff --git a/lib/tlscontext.h b/lib/tlscontext.h
+index 98c0e1f..80b2afe 100644
+--- a/lib/tlscontext.h
+++ b/lib/tlscontext.h
+@@ -144,6 +144,8 @@ EVTTAG *tls_context_format_location_tag(TLSContext *self);
+ void tls_log_certificate_validation_progress(int ok, X509_STORE_CTX *ctx);
+ gboolean tls_verify_certificate_name(X509 *cert, const gchar *hostname);
+gboolean tls_wildcard_match(const gchar *host_name, const gchar *pattern);
+
+ void tls_x509_format_dn(X509_NAME *name, GString *dn);
+ #endif
+diff --git a/lib/transport/tests/CMakeLists.txt b/lib/transport/tests/CMakeLists.txt
+index 834f456..ce1d033 100644
+--- a/lib/transport/tests/CMakeLists.txt
+++ b/lib/transport/tests/CMakeLists.txt
+@@ -3,3 +3,4 @@ add_unit_test(CRITERION TARGET test_transport_factory_id)
+ add_unit_test(CRITERION TARGET test_transport_factory)
+ add_unit_test(CRITERION TARGET test_transport_factory_registry)
+ add_unit_test(CRITERION TARGET test_multitransport)
+add_unit_test(CRITERION TARGET test_tls_wildcard_match)
+diff --git a/lib/transport/tests/Makefile.am b/lib/transport/tests/Makefile.am
+index 7eac994..ae2426c 100644
+--- a/lib/transport/tests/Makefile.am
+++ b/lib/transport/tests/Makefile.am
+@@ -3,7 +3,8 @@ lib_transport_tests_TESTS                = \
+        lib/transport/tests/test_transport_factory_id \
+        lib/transport/tests/test_transport_factory \
+        lib/transport/tests/test_transport_factory_registry \
+-       lib/transport/tests/test_multitransport
+       lib/transport/tests/test_multitransport \
+       lib/transport/tests/test_tls_wildcard_match
+ EXTRA_DIST += lib/transport/tests/CMakeLists.txt
+@@ -38,3 +39,9 @@ lib_transport_tests_test_multitransport_CFLAGS  = $(TEST_CFLAGS) \
+ lib_transport_tests_test_multitransport_LDADD   = $(TEST_LDADD)
+ lib_transport_tests_test_multitransport_SOURCES =                      \
+        lib/transport/tests/test_multitransport.c
+
+lib_transport_tests_test_tls_wildcard_match_CFLAGS  = $(TEST_CFLAGS) \
+       -I${top_srcdir}/lib/transport/tests
+lib_transport_tests_test_tls_wildcard_match_LDADD       = $(TEST_LDADD)
+lib_transport_tests_test_tls_wildcard_match_SOURCES =                  \
+       lib/transport/tests/test_tls_wildcard_match.c
+diff --git a/lib/transport/tests/test_tls_wildcard_match.c b/lib/transport/tests/test_tls_wildcard_match.c
+new file mode 100644
+index 0000000..90cecb0
+--- /dev/null
+++ b/lib/transport/tests/test_tls_wildcard_match.c
+@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 2024 One Identity LLC.
+ * Copyright (c) 2024 Franco Fichtner
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * As an additional exemption you are allowed to compile & link against the
+ * OpenSSL libraries as published by the OpenSSL project. See the file
+ * COPYING for details.
+ *
+ */
+
+
+#include <criterion/criterion.h>
+
+#include "transport/tls-verifier.h"
+
+TestSuite(tls_wildcard, .init = NULL, .fini = NULL);
+
+Test(tls_wildcard, test_wildcard_match_pattern_acceptance)
+{
+  cr_assert_eq(tls_wildcard_match("test", "test"), TRUE);
+  cr_assert_eq(tls_wildcard_match("test", "*"), TRUE);
+  cr_assert_eq(tls_wildcard_match("test", "t*t"), TRUE);
+  cr_assert_eq(tls_wildcard_match("test", "t*"), TRUE);
+  cr_assert_eq(tls_wildcard_match("", ""), TRUE);
+  cr_assert_eq(tls_wildcard_match("test.one", "test.one"), TRUE);
+  cr_assert_eq(tls_wildcard_match("test.one.two", "test.one.two"), TRUE);
+  cr_assert_eq(tls_wildcard_match("192.0.2.0", "192.0.2.0"), TRUE);
+  cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0000:130F:0000:0000:09C0:876A:130B"),
+               TRUE);
+  cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0:130F:0:0:9C0:876A:130B"), TRUE);
+  cr_assert_eq(tls_wildcard_match("2001:0:130F:0:0:9C0:876A:130B", "2001:0000:130F:0000:0000:09C0:876A:130B"), TRUE);
+  cr_assert_eq(tls_wildcard_match("2001:0000:130F::09C0:876A:130B", "2001:0000:130F:0000:0000:09C0:876A:130B"), TRUE);
+  cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0000:130F::09C0:876A:130B"), TRUE);
+  cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0:130F::9C0:876A:130B"), TRUE);
+  cr_assert_eq(tls_wildcard_match("2001:0:130F::9C0:876A:130B", "2001:0000:130F:0000:0000:09C0:876A:130B"), TRUE);
+}
+
+Test(tls_wildcard, test_wildcard_match_wildcard_rejection)
+{
+  cr_assert_eq(tls_wildcard_match("test", "**"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test", "*es*"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test", "t*?"), FALSE);
+}
+
+Test(tls_wildcard, test_wildcard_match_pattern_rejection)
+{
+  cr_assert_eq(tls_wildcard_match("test", "tset"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test", "set"), FALSE);
+  cr_assert_eq(tls_wildcard_match("", "*"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test", ""), FALSE);
+  cr_assert_eq(tls_wildcard_match("test.two", "test.one"), FALSE);
+}
+
+Test(tls_wildcard, test_wildcard_match_format_rejection)
+{
+  cr_assert_eq(tls_wildcard_match("test.two", "test.*"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test.two", "test.t*o"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test", "test.two"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test.two", "test"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test.one.two", "test.one"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test.one", "test.one.two"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test.three", "three.test"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test.one.two", "test.one.*"), FALSE);
+}
+
+Test(tls_wildcard, test_wildcard_match_complex_rejection)
+{
+  cr_assert_eq(tls_wildcard_match("test.two", "test.???"), FALSE);
+  cr_assert_eq(tls_wildcard_match("test.one.two", "test.one.?wo"), FALSE);
+}
+
+Test(tls_wildcard, test_ip_wildcard_rejection)
+{
+  cr_assert_eq(tls_wildcard_match("192.0.2.0", "*.0.2.0"), FALSE);
+  cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "*:0000:130F:0000:0000:09C0:876A:130B"),
+               FALSE);
+  cr_assert_eq(tls_wildcard_match("2001:0:130F::9C0:876A:130B", "*:0000:130F:0000:0000:09C0:876A:130B"), FALSE);
+}
+
+Test(tls_wildcard, test_case_insensivity)
+{
+  cr_assert_eq(tls_wildcard_match("test", "TEST"), TRUE);
+  cr_assert_eq(tls_wildcard_match("TEST", "test"), TRUE);
+  cr_assert_eq(tls_wildcard_match("TeST", "TEst"), TRUE);
+  cr_assert_eq(tls_wildcard_match("test.one", "test.ONE"), TRUE);
+  cr_assert_eq(tls_wildcard_match("test.TWO", "test.two"), TRUE);
+  cr_assert_eq(tls_wildcard_match("test.three", "*T.three"), TRUE);
+  cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0000:130f:0000:0000:09c0:876a:130b"),
+               TRUE);
+}
+--
+2.40.0
diff --git a/meta-oe/recipes-support/syslog-ng/syslog-ng_3.36.1.bb b/meta-oe/recipes-support/syslog-ng/syslog-ng_3.36.1.bb
index 045b9b71c9..b45c6f553f 100644
--- a/meta-oe/recipes-support/syslog-ng/syslog-ng_3.36.1.bb
+++ b/meta-oe/recipes-support/syslog-ng/syslog-ng_3.36.1.bb
@@ -30,6 +30,7 @@ SRC_URI = "https://github.com/balabit/syslog-ng/releases/download/${BP}/${BP}.ta
           file://CVE-2022-38725-0006.patch \
           file://CVE-2022-38725-0007.patch \
           file://CVE-2022-38725-0008.patch \
+           file://CVE-2024-47619.patch \
 "
 SRC_URI[sha256sum] = "90a25c9767fe749db50f118ddfc92ec71399763d2ecd5ad4f11ff5eea049e60b"
author	Yogita Urade <yogita.urade@windriver.com>	2025-05-28 16:24:17 +0530
committer	Armin Kuster <akuster808@gmail.com>	2025-07-02 20:30:36 -0400
commit	a051b4ae0595c0905ae6a504bbd8511d18a9aaec (patch)
tree	3cd8307e11ab3efb80ab9fffcbb668e38e292409
parent	719a23e6f6eb2803ae8adc53bfe217b230c4361d (diff)
download	meta-openembedded-a051b4ae0595c0905ae6a504bbd8511d18a9aaec.tar.gz

diff --git a/meta-oe/recipes-support/syslog-ng/files/CVE-2024-47619.patch b/meta-oe/recipes-support/syslog-ng/files/CVE-2024-47619.patch new file mode 100644 index 0000000000..e316f4a784 --- /dev/null +++ b/meta-oe/recipes-support/syslog-ng/files/CVE-2024-47619.patch
@@ -0,0 +1,286 @@
		1	From 12a0624e4c275f14cee9a6b4f36e714d2ced8544 Mon Sep 17 00:00:00 2001
		2	From: therandomstring <bal.horv.98@gmail.com>
		3	Date: Wed, 07 May 2025 08:51:01 +0000
		4	Subject: [PATCH] Merge commit from fork
		5
		6	Fix transport accepting incorrect wildcards
		7
		8	CVE: CVE-2024-47619
		9	Upstream-Status: Backport [https://github.com/syslog-ng/syslog-ng/commit/12a0624e4c275f14cee9a6b4f36e714d2ced8544]
		10
		11	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		12	---
		13	lib/tlscontext.c \| 84 ++++++++++++--
		14	lib/tlscontext.h \| 2 +
		15	lib/transport/tests/CMakeLists.txt \| 1 +
		16	lib/transport/tests/Makefile.am \| 9 +-
		17	lib/transport/tests/test_tls_wildcard_match.c \| 104 ++++++++++++++++++
		18	5 files changed, 188 insertions(+), 12 deletions(-)
		19	create mode 100644 lib/transport/tests/test_tls_wildcard_match.c
		20
		21	diff --git a/lib/tlscontext.c b/lib/tlscontext.c
		22	index a89d0e0..203a1a3 100644
		23	--- a/lib/tlscontext.c
		24	+++ b/lib/tlscontext.c
		25	@@ -1200,7 +1200,7 @@ tls_log_certificate_validation_progress(int ok, X509_STORE_CTX *ctx)
		26	g_string_free(issuer_name, TRUE);
		27	}
		28
		29	-static gboolean
		30	+gboolean
		31	tls_wildcard_match(const gchar host_name, const gchar pattern)
		32	{
		33	gchar pattern_parts, hostname_parts;
		34	@@ -1211,22 +1211,84 @@ tls_wildcard_match(const gchar host_name, const gchar pattern)
		35
		36	pattern_parts = g_strsplit(pattern, ".", 0);
		37	hostname_parts = g_strsplit(host_name, ".", 0);
		38	- for (i = 0; pattern_parts[i]; i++)
		39	+
		40	+ if(g_strrstr(pattern, "\?"))
		41	+ {
		42	+ /* Glib would treat any question marks as jokers */
		43	+ success = FALSE;
		44	+ }
		45	+ else if (g_hostname_is_ip_address(host_name))
		46	{
		47	- if (!hostname_parts[i])
		48	+ /* no wildcards in IP */
		49	+ if (g_strrstr(pattern, "*"))
		50	{
		51	- /* number of dot separated entries is not the same in the hostname and the pattern spec */
		52	- goto exit;
		53	+ success = FALSE;
		54	}
		55	+ else
		56	+ {
		57	+ struct in6_addr host_buffer, pattern_buffer;
		58	+ gint INET_TYPE, INET_ADDRLEN;
		59	+ if(strstr(host_name, ":"))
		60	+ {
		61	+ INET_TYPE = AF_INET6;
		62	+ INET_ADDRLEN = INET6_ADDRSTRLEN;
		63	+ }
		64	+ else
		65	+ {
		66	+ INET_TYPE = AF_INET;
		67	+ INET_ADDRLEN = INET_ADDRSTRLEN;
		68	+ }
		69	+ char host_ip[INET_ADDRLEN], pattern_ip[INET_ADDRLEN];
		70	+ gint host_ip_ok = inet_pton(INET_TYPE, host_name, &host_buffer);
		71	+ gint pattern_ip_ok = inet_pton(INET_TYPE, pattern, &pattern_buffer);
		72	+ inet_ntop(INET_TYPE, &host_buffer, host_ip, INET_ADDRLEN);
		73	+ inet_ntop(INET_TYPE, &pattern_buffer, pattern_ip, INET_ADDRLEN);
		74	+ success = (host_ip_ok && pattern_ip_ok && strcmp(host_ip, pattern_ip) == 0);
		75	+ }
		76	+ }
		77	+ else
		78	+ {
		79	+ if (pattern_parts[0] == NULL)
		80	+ {
		81	+ if (hostname_parts[0] == NULL)
		82	+ success = TRUE;
		83	+ else
		84	+ success = FALSE;
		85	+ }
		86	+ else
		87	+ {
		88	+ success = TRUE;
		89	+ for (i = 0; pattern_parts[i]; i++)
		90	+ {
		91	+ if (hostname_parts[i] == NULL)
		92	+ {
		93	+ /* number of dot separated entries is not the same in the hostname and the pattern spec */
		94	+ success = FALSE;
		95	+ break;
		96	+ }
		97	+ char wildcard_matched = g_strrstr(pattern_parts[i], "");
		98	+ if (wildcard_matched && (i != 0 \|\| wildcard_matched != strstr(pattern_parts[i], "*")))
		99	+ {
		100	+ /* wildcard only on leftmost part and never as multiple wildcards as per both RFC 6125 and 9525 */
		101	+ success = FALSE;
		102	+ break;
		103	+ }
		104
		105	- lower_pattern = g_ascii_strdown(pattern_parts[i], -1);
		106	- lower_hostname = g_ascii_strdown(hostname_parts[i], -1);
		107	+ lower_pattern = g_ascii_strdown(pattern_parts[i], -1);
		108	+ lower_hostname = g_ascii_strdown(hostname_parts[i], -1);
		109
		110	- if (!g_pattern_match_simple(lower_pattern, lower_hostname))
		111	- goto exit;
		112	+ if (!g_pattern_match_simple(lower_pattern, lower_hostname))
		113	+ {
		114	+ success = FALSE;
		115	+ break;
		116	+ }
		117	+ }
		118	+ if (hostname_parts[i])
		119	+ /* hostname has more parts than the pattern */
		120	+ success = FALSE;
		121	+ }
		122	}
		123	- success = TRUE;
		124	-exit:
		125	+
		126	g_free(lower_pattern);
		127	g_free(lower_hostname);
		128	g_strfreev(pattern_parts);
		129	diff --git a/lib/tlscontext.h b/lib/tlscontext.h
		130	index 98c0e1f..80b2afe 100644
		131	--- a/lib/tlscontext.h
		132	+++ b/lib/tlscontext.h
		133	@@ -144,6 +144,8 @@ EVTTAG tls_context_format_location_tag(TLSContext self);
		134	void tls_log_certificate_validation_progress(int ok, X509_STORE_CTX *ctx);
		135	gboolean tls_verify_certificate_name(X509 cert, const gchar hostname);
		136
		137	+gboolean tls_wildcard_match(const gchar host_name, const gchar pattern);
		138	+
		139	void tls_x509_format_dn(X509_NAME name, GString dn);
		140
		141	#endif
		142	diff --git a/lib/transport/tests/CMakeLists.txt b/lib/transport/tests/CMakeLists.txt
		143	index 834f456..ce1d033 100644
		144	--- a/lib/transport/tests/CMakeLists.txt
		145	+++ b/lib/transport/tests/CMakeLists.txt
		146	@@ -3,3 +3,4 @@ add_unit_test(CRITERION TARGET test_transport_factory_id)
		147	add_unit_test(CRITERION TARGET test_transport_factory)
		148	add_unit_test(CRITERION TARGET test_transport_factory_registry)
		149	add_unit_test(CRITERION TARGET test_multitransport)
		150	+add_unit_test(CRITERION TARGET test_tls_wildcard_match)
		151	diff --git a/lib/transport/tests/Makefile.am b/lib/transport/tests/Makefile.am
		152	index 7eac994..ae2426c 100644
		153	--- a/lib/transport/tests/Makefile.am
		154	+++ b/lib/transport/tests/Makefile.am
		155	@@ -3,7 +3,8 @@ lib_transport_tests_TESTS = \
		156	lib/transport/tests/test_transport_factory_id \
		157	lib/transport/tests/test_transport_factory \
		158	lib/transport/tests/test_transport_factory_registry \
		159	- lib/transport/tests/test_multitransport
		160	+ lib/transport/tests/test_multitransport \
		161	+ lib/transport/tests/test_tls_wildcard_match
		162
		163	EXTRA_DIST += lib/transport/tests/CMakeLists.txt
		164
		165	@@ -38,3 +39,9 @@ lib_transport_tests_test_multitransport_CFLAGS = $(TEST_CFLAGS) \
		166	lib_transport_tests_test_multitransport_LDADD = $(TEST_LDADD)
		167	lib_transport_tests_test_multitransport_SOURCES = \
		168	lib/transport/tests/test_multitransport.c
		169	+
		170	+lib_transport_tests_test_tls_wildcard_match_CFLAGS = $(TEST_CFLAGS) \
		171	+ -I${top_srcdir}/lib/transport/tests
		172	+lib_transport_tests_test_tls_wildcard_match_LDADD = $(TEST_LDADD)
		173	+lib_transport_tests_test_tls_wildcard_match_SOURCES = \
		174	+ lib/transport/tests/test_tls_wildcard_match.c
		175	diff --git a/lib/transport/tests/test_tls_wildcard_match.c b/lib/transport/tests/test_tls_wildcard_match.c
		176	new file mode 100644
		177	index 0000000..90cecb0
		178	--- /dev/null
		179	+++ b/lib/transport/tests/test_tls_wildcard_match.c
		180	@@ -0,0 +1,104 @@
		181	+/*
		182	+ * Copyright (c) 2024 One Identity LLC.
		183	+ * Copyright (c) 2024 Franco Fichtner
		184	+ *
		185	+ * This library is free software; you can redistribute it and/or
		186	+ * modify it under the terms of the GNU Lesser General Public
		187	+ * License as published by the Free Software Foundation; either
		188	+ * version 2.1 of the License, or (at your option) any later version.
		189	+ *
		190	+ * This library is distributed in the hope that it will be useful,
		191	+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
		192	+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
		193	+ * Lesser General Public License for more details.
		194	+ *
		195	+ * You should have received a copy of the GNU Lesser General Public
		196	+ * License along with this library; if not, write to the Free Software
		197	+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
		198	+ *
		199	+ * As an additional exemption you are allowed to compile & link against the
		200	+ * OpenSSL libraries as published by the OpenSSL project. See the file
		201	+ * COPYING for details.
		202	+ *
		203	+ */
		204	+
		205	+
		206	+#include <criterion/criterion.h>
		207	+
		208	+#include "transport/tls-verifier.h"
		209	+
		210	+TestSuite(tls_wildcard, .init = NULL, .fini = NULL);
		211	+
		212	+Test(tls_wildcard, test_wildcard_match_pattern_acceptance)
		213	+{
		214	+ cr_assert_eq(tls_wildcard_match("test", "test"), TRUE);
		215	+ cr_assert_eq(tls_wildcard_match("test", "*"), TRUE);
		216	+ cr_assert_eq(tls_wildcard_match("test", "t*t"), TRUE);
		217	+ cr_assert_eq(tls_wildcard_match("test", "t*"), TRUE);
		218	+ cr_assert_eq(tls_wildcard_match("", ""), TRUE);
		219	+ cr_assert_eq(tls_wildcard_match("test.one", "test.one"), TRUE);
		220	+ cr_assert_eq(tls_wildcard_match("test.one.two", "test.one.two"), TRUE);
		221	+ cr_assert_eq(tls_wildcard_match("192.0.2.0", "192.0.2.0"), TRUE);
		222	+ cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0000:130F:0000:0000:09C0:876A:130B"),
		223	+ TRUE);
		224	+ cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0:130F:0:0:9C0:876A:130B"), TRUE);
		225	+ cr_assert_eq(tls_wildcard_match("2001:0:130F:0:0:9C0:876A:130B", "2001:0000:130F:0000:0000:09C0:876A:130B"), TRUE);
		226	+ cr_assert_eq(tls_wildcard_match("2001:0000:130F::09C0:876A:130B", "2001:0000:130F:0000:0000:09C0:876A:130B"), TRUE);
		227	+ cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0000:130F::09C0:876A:130B"), TRUE);
		228	+ cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0:130F::9C0:876A:130B"), TRUE);
		229	+ cr_assert_eq(tls_wildcard_match("2001:0:130F::9C0:876A:130B", "2001:0000:130F:0000:0000:09C0:876A:130B"), TRUE);
		230	+}
		231	+
		232	+Test(tls_wildcard, test_wildcard_match_wildcard_rejection)
		233	+{
		234	+ cr_assert_eq(tls_wildcard_match("test", "**"), FALSE);
		235	+ cr_assert_eq(tls_wildcard_match("test", "es"), FALSE);
		236	+ cr_assert_eq(tls_wildcard_match("test", "t*?"), FALSE);
		237	+}
		238	+
		239	+Test(tls_wildcard, test_wildcard_match_pattern_rejection)
		240	+{
		241	+ cr_assert_eq(tls_wildcard_match("test", "tset"), FALSE);
		242	+ cr_assert_eq(tls_wildcard_match("test", "set"), FALSE);
		243	+ cr_assert_eq(tls_wildcard_match("", "*"), FALSE);
		244	+ cr_assert_eq(tls_wildcard_match("test", ""), FALSE);
		245	+ cr_assert_eq(tls_wildcard_match("test.two", "test.one"), FALSE);
		246	+}
		247	+
		248	+Test(tls_wildcard, test_wildcard_match_format_rejection)
		249	+{
		250	+ cr_assert_eq(tls_wildcard_match("test.two", "test.*"), FALSE);
		251	+ cr_assert_eq(tls_wildcard_match("test.two", "test.t*o"), FALSE);
		252	+ cr_assert_eq(tls_wildcard_match("test", "test.two"), FALSE);
		253	+ cr_assert_eq(tls_wildcard_match("test.two", "test"), FALSE);
		254	+ cr_assert_eq(tls_wildcard_match("test.one.two", "test.one"), FALSE);
		255	+ cr_assert_eq(tls_wildcard_match("test.one", "test.one.two"), FALSE);
		256	+ cr_assert_eq(tls_wildcard_match("test.three", "three.test"), FALSE);
		257	+ cr_assert_eq(tls_wildcard_match("test.one.two", "test.one.*"), FALSE);
		258	+}
		259	+
		260	+Test(tls_wildcard, test_wildcard_match_complex_rejection)
		261	+{
		262	+ cr_assert_eq(tls_wildcard_match("test.two", "test.???"), FALSE);
		263	+ cr_assert_eq(tls_wildcard_match("test.one.two", "test.one.?wo"), FALSE);
		264	+}
		265	+
		266	+Test(tls_wildcard, test_ip_wildcard_rejection)
		267	+{
		268	+ cr_assert_eq(tls_wildcard_match("192.0.2.0", "*.0.2.0"), FALSE);
		269	+ cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "*:0000:130F:0000:0000:09C0:876A:130B"),
		270	+ FALSE);
		271	+ cr_assert_eq(tls_wildcard_match("2001:0:130F::9C0:876A:130B", "*:0000:130F:0000:0000:09C0:876A:130B"), FALSE);
		272	+}
		273	+
		274	+Test(tls_wildcard, test_case_insensivity)
		275	+{
		276	+ cr_assert_eq(tls_wildcard_match("test", "TEST"), TRUE);
		277	+ cr_assert_eq(tls_wildcard_match("TEST", "test"), TRUE);
		278	+ cr_assert_eq(tls_wildcard_match("TeST", "TEst"), TRUE);
		279	+ cr_assert_eq(tls_wildcard_match("test.one", "test.ONE"), TRUE);
		280	+ cr_assert_eq(tls_wildcard_match("test.TWO", "test.two"), TRUE);
		281	+ cr_assert_eq(tls_wildcard_match("test.three", "*T.three"), TRUE);
		282	+ cr_assert_eq(tls_wildcard_match("2001:0000:130F:0000:0000:09C0:876A:130B", "2001:0000:130f:0000:0000:09c0:876a:130b"),
		283	+ TRUE);
		284	+}
		285	--
		286	2.40.0


diff --git a/meta-oe/recipes-support/syslog-ng/syslog-ng_3.36.1.bb b/meta-oe/recipes-support/syslog-ng/syslog-ng_3.36.1.bb index 045b9b71c9..b45c6f553f 100644 --- a/meta-oe/recipes-support/syslog-ng/syslog-ng_3.36.1.bb +++ b/meta-oe/recipes-support/syslog-ng/syslog-ng_3.36.1.bb
@@ -30,6 +30,7 @@ SRC_URI = "https://github.com/balabit/syslog-ng/releases/download/${BP}/${BP}.ta
30	file://CVE-2022-38725-0006.patch \	30	file://CVE-2022-38725-0006.patch \
31	file://CVE-2022-38725-0007.patch \	31	file://CVE-2022-38725-0007.patch \
32	file://CVE-2022-38725-0008.patch \	32	file://CVE-2022-38725-0008.patch \
		33	file://CVE-2024-47619.patch \
33	"	34	"
34		35
35	SRC_URI[sha256sum] = "90a25c9767fe749db50f118ddfc92ec71399763d2ecd5ad4f11ff5eea049e60b"	36	SRC_URI[sha256sum] = "90a25c9767fe749db50f118ddfc92ec71399763d2ecd5ad4f11ff5eea049e60b"