Merge branch 'beta'

Conflicts:
	ChangeLog

2 files changed, 11 insertions, 8 deletions

diff --git a/ChangeLog b/ChangeLog
index 39ce0da3..3944e233 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
 ---------------------------------------------------------------------------
-Version 6.3.5  [DEVEL] (rgerhards/al), 2011-??-??
+Version 6.3.5  [DEVEL] (rgerhards/al), 2011-09-01
+- bugfix/security: off-by-two bug in legacy syslog parser, CVE-2011-3200
 - imudp&imtcp now report error if no listener at all was defined
   Thanks to Marcin for suggesting this error message.
 - bugfix: potential misadressing in property replacer
@@ -48,7 +49,8 @@ Version 6.3.2  [DEVEL] (rgerhards), 2011-07-06
   This leak is tied to error conditions which lead to incorrect cleanup
   of some data structures.
 ---------------------------------------------------------------------------
-Version 6.1.12  [BETA] (al), 2011-??-??
+Version 6.1.12  [BETA], 2011-09-01
+- bugfix/security: off-by-two bug in legacy syslog parser, CVE-2011-3200
 - bugfix: potential misadressing in property replacer
 - bugfix: memcpy overflow can occur in allowed sender checkig
   if a name is resolved to IPv4-mapped-on-IPv6 address
@@ -349,7 +351,8 @@ Version 5.9.0  [V5-DEVEL] (rgerhards), 2011-06-08
   affected directive was: $ActionExecOnlyWhenPreviousIsSuspended on
   closes: http://bugzilla.adiscon.com/show_bug.cgi?id=236
 ---------------------------------------------------------------------------
-Version 5.8.5  [V5-stable] (rgerhards/al), 2011-??-??
+Version 5.8.5  [V5-stable] (rgerhards/al), 2011-09-01
+- bugfix/security: off-by-two bug in legacy syslog parser, CVE-2011-3200
 - bugfix: potential hang condition during tag emulation
 - bugfix: too-early string termination during tag emulation
 - bugfix: The NUL-Byte for the syslogtag was not copied in MsgDup (msg.c)
@@ -1222,11 +1225,13 @@ Version 4.7.0  [v4-devel] (rgerhards), 2010-04-14
   Thanks for varmojfekoj for pointing me at this bug.
 - imported changes from 4.5.6 and below
 ---------------------------------------------------------------------------
-Version 4.6.8  [v4-stable] (rgerhards), 2011-??-??
+Version 4.6.8  [v4-stable] (rgerhards), 2011-09-01
+- bugfix/security: off-by-two bug in legacy syslog parser, CVE-2011-3200
 - bugfix: potential misadressing in property replacer
-- bugfix: memcpy overflow can occur in allowed sender checkig
+- bugfix: memcpy overflow can occur in allowed sender checking
   if a name is resolved to IPv4-mapped-on-IPv6 address
   Found by Ismail Dönmez at suse
+- bugfix: The NUL-Byte for the syslogtag was not copied in MsgDup (msg.c)
 ---------------------------------------------------------------------------
 Version 4.6.7  [v4-stable] (rgerhards), 2011-07-11
 - added support for the ":omusrmsg:" syntax in configuring user messages
diff --git a/tools/pmrfc3164.c b/tools/pmrfc3164.c
index d56e53f0..6d2d22b1 100644
--- a/tools/pmrfc3164.c
+++ b/tools/pmrfc3164.c
@@ -176,9 +176,8 @@ CODESTARTparse
 		 * in RFC3164...). We now receive the full size, but will modify the
 		 * outputs so that only 32 characters max are used by default.
 		 */
-dbgprintf("pmrfc3164:tag:in: lenMsg %d, p2parse: '%s'\n", lenMsg, p2parse);
 		i = 0;
-		while(lenMsg > 0 && *p2parse != ':' && *p2parse != ' ' && i < CONF_TAG_MAXSIZE) {
+		while(lenMsg > 0 && *p2parse != ':' && *p2parse != ' ' && i < CONF_TAG_MAXSIZE - 2) {
 			bufParseTAG[i++] = *p2parse++;
 			--lenMsg;
 		}
@@ -192,7 +191,6 @@ dbgprintf("pmrfc3164:tag:in: lenMsg %d, p2parse: '%s'\n", lenMsg, p2parse);
 		 * is considered OK. So we do not need to check for empty TAG. -- rgerhards, 2009-06-23
 		 */
 		bufParseTAG[i] = '\0';	/* terminate string */
-dbgprintf("pmrfc3164:tag:done: lenMsg %d, i %d, bufParseTAG: '%s'\n", lenMsg, i, bufParseTAG);
 		MsgSetTAG(pMsg, bufParseTAG, i);
 	} else {/* we enter this code area when the user has instructed rsyslog NOT
 		 * to parse HOSTNAME and TAG - rgerhards, 2006-03-13