The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack. These format string vulnerabilities were found in function 'initZMQ' in omzmq3.c file and in function 'createSocket' in imzmq3.c file. Upstream bug: https://github.com/rsyslog/rsyslog/pull/1565 Upstream patch: https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b Bug introduced in: https://github.com/rsyslog/rsyslog/commit/cbff73d94c3a86ed74294fe1265dc5242f9317be The first affected version is 6.5.0. References: https://bugzilla.novell.com/show_bug.cgi?id=1051798
We do not compile these modules. --enable-imzmq3 Compiles imzmq3 output module [default=no] --enable-omzmq3 Compiles omzmq3 output module [default=no] Configure is running without any related option. This is the same on RHEL and fedora.
Statement: This issue did not affect the versions of rsyslog as shipped with Red Hat Enterprise Linux 5, 6, and 7.