!18 [sync] PR-17: Fix CVE-2024-22857

From: @openeuler-sync-bot 
Reviewed-by: @liubuguiii 
Signed-off-by: @liubuguiii

CVE-2024-22857.patch

@@ -0,0 +1,29 @@
+From 335d65fc5a9d73580c6663fcb754ddce4e159a61 Mon Sep 17 00:00:00 2001
+From: lvfei <lvfei@kylinos.cn>
+Date: Thu, 25 Apr 2024 13:49:04 +0800
+Subject: [PATCH] CVE-2024-22857
+
+---
+ src/rule.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/rule.c b/src/rule.c
+index 473d21f..02a9c08 100644
+--- a/src/rule.c
++++ b/src/rule.c
+@@ -890,8 +890,10 @@ zlog_rule_t *zlog_rule_new(char *line,
+ 		}
+ 		break;
+ 	case '$' :
+-		sscanf(file_path + 1, "%s", a_rule->record_name);
+-			
++        // read only MAXLEN_PATH characters from the file_path + 1
++		strncpy(a_rule->record_name, file_path + 1, MAXLEN_PATH);
++		a_rule->record_name[MAXLEN_PATH] = '\0';		
++	
+ 		if (file_limit) {  /* record path exists */
+ 			p = strchr(file_limit, '"');
+ 			if (!p) {
+-- 
+2.27.0
+

zlog.spec

@@ -1,6 +1,6 @@
 Name:           zlog
 Version:        1.2.15
-Release:        5
+Release:        6
 Summary:        A reliable pure C logging library
 
 License:        LGPLv2.1
@@ -11,6 +11,7 @@ Patch1000:      0001-Fix-stack-buffer-overflow-at-zlog_conf_build_with_fi.patch
 Patch1001:      0002-feature-mkdir-If-the-output-directory-does-not-exist-5c55d7d4.patch
 Patch1002:      0001-fix-env-Fix-the-pointer-position-update-error-after--f0d6941b.patch
 Patch1003:      1012-feature-environment-Ignore-the-rule-when-the-environ-40ea87cd.patch
+Patch1004:      CVE-2024-22857.patch
 
 
 BuildRequires:  gcc-c++
@@ -52,6 +53,9 @@ ln -sf libzlog.so.1.2 '%{buildroot}/%{_libdir}/libzlog.so'
 
 
 %changelog
+* Wed Apr 24 2024 lvfei <lvfei@kylinos.cn> - 1.2.15-6
+- Fix CVE-2024-22857.patch
+
 * Mon Sep 26 2022 tangjie02 <tangjie02@kylinsec.com.cn> - 1.2.15-5
 - if the output directory does not exist, it will be created automatically.
 - fix the pointer position update error after enviroment variable is replaced.