An issue was found in rsyslog. When imtcp module and Octet-Counted TCP Framing ("on" by default) are enabled, Rsyslog can be crashed remotely when sending an crafted (improperly formatted) message to "imptcp" listening socket.
This vulnerability appears to have been introduced in upstream commit 6c52f29d59, which was first included in release 8.13.1.
> optimized payload-copy in processDataRcvd for octate-counted frames (as length is pre-known, it is possible to avoid coping char by char, as opposed to octate-stuffed frames).
Name: Joel Miller (Pennsylvania Higher Education Assistance Agency)
This vulnerability requires the "imptcp" module to be enabled, and listening on a port that can potentially be reached by attackers. This module is not enabled by default in Red Hat Enterprise Linux 7. To check if imptcp is enabled, look for the string `$InputPTCPServerRun`in your rsyslog configuration.
shouldn't it say imtcp (instead of imptcp)?
(In reply to Mark D. Foster from comment #12)
> shouldn't it say imtcp (instead of imptcp)?
No, there are two separate rsyslog plugins, imtcp adn imptcp (sort of simplified version), this bug concerns the latter one.