![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f064ae4)
raw | patch | inline | side by side (parent: f064ae4)
| author | Sebastian Harl <sh@tokkee.org> | |
| Wed, 3 Aug 2016 20:59:41 +0000 (22:59 +0200) | ||
| committer | Sebastian Harl <sh@tokkee.org> | |
| Wed, 3 Aug 2016 20:59:41 +0000 (22:59 +0200) |
Fix initialization of libgcrypt: Initialize the library before using any other
functions to ensure that thread-safety is set up appropriately. This fixes
potential crashes of the network plugin and a regression introduced in
5.1.0-3+deb7u1 which ultimately surfaced the issue.
Thanks to Antoine Sirinelli for reporting this.
Closes: #833013
functions to ensure that thread-safety is set up appropriately. This fixes
potential crashes of the network plugin and a regression introduced in
5.1.0-3+deb7u1 which ultimately surfaced the issue.
Thanks to Antoine Sirinelli for reporting this.
Closes: #833013
| debian/changelog | patch | blob | history | |
| debian/patches/00list | patch | blob | history | |
| debian/patches/bts833013-gcry-init.dpatch | [new file with mode: 0644] | patch | blob |
diff --git a/debian/changelog b/debian/changelog
index 6f83f95bb297b9d3a8d74079bbcc348d232765fd..9fdb411f824e57eb9a519e1b87185d153e59368d 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
+collectd (5.1.0-3+deb7u2) wheezy-security; urgency=high
+
+ * debian/patches/bts833013-gcry-init.dpatch: Fix initialization of
+ libgcrypt: Initialize the library before using any other functions to
+ ensure that thread-safety is set up appropriately. This fixes potential
+ crashes of the network plugin and a regression introduced in
+ 5.1.0-3+deb7u1 which ultimately surfaced the issue. Thanks to Antoine
+ Sirinelli for reporting this. (Closes: #833013)
+
+ -- Sebastian Harl <tokkee@debian.org> Wed, 03 Aug 2016 22:59:23 +0200
+
collectd (5.1.0-3+deb7u1) wheezy-security; urgency=high
* debian/patches/CVE-2016-6254.dpatch: Fix heap overflow in the network
diff --git a/debian/patches/00list b/debian/patches/00list
index 1e263d1ac3b03213cf0da32b07c28d8edd27d48a..4701dabf879ff724c7f4bdcef36ee517689110a9 100644 (file)
--- a/debian/patches/00list
+++ b/debian/patches/00list
CVE-2016-6254.dpatch
bts832577-gcry-control.dpatch
+bts833013-gcry-init.dpatch
rrd_filter_path.dpatch
collection_conf_path.dpatch
bts559801_plugin_find_fix.dpatch
diff --git a/debian/patches/bts833013-gcry-init.dpatch b/debian/patches/bts833013-gcry-init.dpatch
--- /dev/null
@@ -0,0 +1,97 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## bts833013-gcry-init.dpatch by Florian Forster <octo@collectd.org>
+## Backported to 5.1.0 by Sebastian Harl <tokkee@debian.org>
+## Rebased on top of bts832577-gcry-control.dpatch
+##
+## DP: Make sure gcrypt is initialized before using any of its functions.
+## DP:
+## DP: @marekbecka found that gcrypt functionality is called during the
+## DP: configuration phase, but the library is only initialized later during
+## DP: the initialization phase.
+## DP:
+## DP: Upstream commit:
+## DP: https://github.com/collectd/collectd/commit/0ec776a
+## DP: Upstream report:
+## DP: https://github.com/collectd/collectd/issues/273
+
+@DPATCH@
+
+diff a/src/network.c b/src/network.c
+--- a/src/network.c
++++ b/src/network.c
+@@ -476,6 +476,28 @@
+ } /* }}} int network_dispatch_notification */
+
+ #if HAVE_LIBGCRYPT
++static void network_init_gcrypt (void) /* {{{ */
++{
++ gcry_error_t err;
++
++ if (gcry_control (GCRYCTL_ANY_INITIALIZATION_P))
++ return;
++
++ err = gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
++ if (err)
++ {
++ ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err));
++ return (-1);
++ }
++ err = gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0);
++ if (err)
++ {
++ ERROR ("network plugin: gcry_control (GCRYCTL_INIT_SECMEM) failed: %s", gcry_strerror (err));
++ return (-1);
++ }
++ gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
++} /* }}} void network_init_gcrypt */
++
+ static gcry_cipher_hd_t network_get_aes256_cypher (sockent_t *se, /* {{{ */
+ const void *iv, size_t iv_size, const char *username)
+ {
+@@ -2011,6 +2033,8 @@
+ {
+ if (se->data.client.security_level > SECURITY_LEVEL_NONE)
+ {
++ network_init_gcrypt ();
++
+ if ((se->data.client.username == NULL)
+ || (se->data.client.password == NULL))
+ {
+@@ -2029,6 +2053,8 @@
+ {
+ if (se->data.server.security_level > SECURITY_LEVEL_NONE)
+ {
++ network_init_gcrypt ();
++
+ if (se->data.server.auth_file == NULL)
+ {
+ ERROR ("network plugin: Server socket with "
+@@ -3345,7 +3371,6 @@
+ static int network_init (void)
+ {
+ static _Bool have_init = 0;
+- gcry_error_t err;
+
+ /* Check if we were already initialized. If so, just return - there's
+ * nothing more to do (for now, that is). */
+@@ -3354,19 +3379,7 @@
+ have_init = 1;
+
+ #if HAVE_LIBGCRYPT
+- err = gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
+- if (err)
+- {
+- ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err));
+- return (-1);
+- }
+- err = gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0);
+- if (err)
+- {
+- ERROR ("network plugin: gcry_control (GCRYCTL_INIT_SECMEM) failed: %s", gcry_strerror (err));
+- return (-1);
+- }
+- gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
++ network_init_gcrypt ();
+ #endif
+
+ if (network_config_stats != 0)