![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9dddd30)
raw | patch | inline | side by side (parent: 9dddd30)
| author | Chris Lamb <lamby@debian.org> | |
| Tue, 4 Apr 2017 14:45:15 +0000 (16:45 +0200) | ||
| committer | Marc Fournier <marc@bl.uem.li> | |
| Fri, 25 Aug 2017 07:32:14 +0000 (09:32 +0200) |
When a correct "Signature part" is received by a Collectd instance
configured without the AuthFile option, an endless loop occurs due to a
missing pointer increment to the next unprocessed part. (Closes: #859494)
configured without the AuthFile option, an endless loop occurs due to a
missing pointer increment to the next unprocessed part. (Closes: #859494)
| debian/changelog | patch | blob | history | |
| debian/patches/CVE-2017-7401.dpatch | [new file with mode: 0644] | patch | blob |
diff --git a/debian/changelog b/debian/changelog
index 9fdb411f824e57eb9a519e1b87185d153e59368d..792b53ff82961d4afaffc8c5ad238a1ca5f18990 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
+collectd (5.1.0-3+deb7u3) wheezy-security; urgency=high
+
+ * CVE-2017-7401: Fix an endless loop DoS vulnerability in parse_packet().
+ When a correct "Signature part" is received by a Collectd instance
+ configured without the AuthFile option, an endless loop occurs due to a
+ missing pointer increment to the next unprocessed part. (Closes: #859494)
+
+ -- Chris Lamb <lamby@debian.org> Tue, 04 Apr 2017 16:45:15 +0200
+
collectd (5.1.0-3+deb7u2) wheezy-security; urgency=high
* debian/patches/bts833013-gcry-init.dpatch: Fix initialization of
diff --git a/debian/patches/CVE-2017-7401.dpatch b/debian/patches/CVE-2017-7401.dpatch
--- /dev/null
@@ -0,0 +1,44 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2017-7401.dpatch by Chris Lamb <lamby@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' collectd-5.1.0~/src/network.c collectd-5.1.0/src/network.c
+--- collectd-5.1.0~/src/network.c 2012-04-02 10:04:58.000000000 +0200
++++ collectd-5.1.0/src/network.c 2017-04-04 17:18:08.901258385 +0200
+@@ -998,14 +998,6 @@
+ buffer_len = *ret_buffer_len;
+ buffer_offset = 0;
+
+- if (se->data.server.userdb == NULL)
+- {
+- c_complain (LOG_NOTICE, &complain_no_users,
+- "network plugin: Received signed network packet but can't verify it "
+- "because no user DB has been configured. Will accept it.");
+- return (0);
+- }
+-
+ /* Check if the buffer has enough data for this structure. */
+ if (buffer_len <= PART_SIGNATURE_SHA256_SIZE)
+ return (-ENOMEM);
+@@ -1023,6 +1015,18 @@
+ return (-1);
+ }
+
++ if (se->data.server.userdb == NULL)
++ {
++ c_complain (LOG_NOTICE, &complain_no_users,
++ "network plugin: Received signed network packet but can't verify it "
++ "because no user DB has been configured Will accept it.");
++
++ *ret_buffer = buffer + pss_head_length;
++ *ret_buffer_len -= pss_head_length;
++
++ return (0);
++ }
++
+ /* Copy the hash. */
+ BUFFER_READ (pss.hash, sizeof (pss.hash));
+