From: Sebastian Harl <sh@tokkee.org>
Date: Thu, 28 Jul 2016 21:08:06 +0000 (+0200)
Subject: Update patches for 5.5.2.
X-Git-Tag: collectd-5.5.2-1~6
X-Git-Url: https://git.tokkee.org/?a=commitdiff_plain;h=40f5ae198d887e656fb90f96105396c76ed145b4;p=pkg-collectd.git

Update patches for 5.5.2.
---

diff --git a/debian/changelog b/debian/changelog
index 7edc974..84d0149 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,10 @@ collectd (5.5.2-1) UNRELEASED; urgency=medium
       GCrypt's gcry_control is sometimes called without checking its return
       value for an error. This may cause the program to be initialized without
       the desired, secure settings. (Closes: #832577)
+  * debian/patches:
+    - bts832577-gcry-control.patch: Update for 5.5.2. Mostly part of the new
+      upstream release, except for: Don't abort() if gcrypt initialization
+      failed.
 
  -- Sebastian Harl <tokkee@debian.org>  Thu, 28 Jul 2016 22:56:36 +0200
 
diff --git a/debian/patches/CVE-2016-6254.dpatch b/debian/patches/CVE-2016-6254.dpatch
deleted file mode 100644
index b466393..0000000
--- a/debian/patches/CVE-2016-6254.dpatch
+++ /dev/null
@@ -1,47 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## CVE-2016-6254.dpatch by Florian Forster <octo@collectd.org>
-##
-## DP: network plugin: Fix heap overflow in parse_packet().
-## DP:
-## DP: Emilien Gaspar has identified a heap overflow in parse_packet(), the
-## DP: function used by the network plugin to parse incoming network packets.
-## DP:
-## DP: This is a vulnerability in collectd, though the scope is not clear at
-## DP: this point. At the very least specially crafted network packets can be
-## DP: used to crash the daemon. We can't rule out a potential remote code
-## DP: execution though.
-## DP:
-## DP: Fixes: CVE-2016-6254
-## DP:
-## DP: Upstream commit:
-## DP: https://github.com/collectd/collectd/commit/b589096
-
-@DPATCH@
-
-diff a/src/network.c b/src/network.c
---- a/src/network.c
-+++ b/src/network.c
-@@ -1430,6 +1430,7 @@
- 				printed_ignore_warning = 1;
- 			}
- 			buffer = ((char *) buffer) + pkg_length;
-+			buffer_size -= (size_t) pkg_length;
- 			continue;
- 		}
- #endif /* HAVE_LIBGCRYPT */
-@@ -1457,6 +1458,7 @@
- 				printed_ignore_warning = 1;
- 			}
- 			buffer = ((char *) buffer) + pkg_length;
-+			buffer_size -= (size_t) pkg_length;
- 			continue;
- 		}
- #endif /* HAVE_LIBGCRYPT */
-@@ -1598,6 +1600,7 @@
- 			DEBUG ("network plugin: parse_packet: Unknown part"
- 					" type: 0x%04hx", pkg_type);
- 			buffer = ((char *) buffer) + pkg_length;
-+			buffer_size -= (size_t) pkg_length;
- 		}
- 	} /* while (buffer_size > sizeof (part_header_t)) */
- 
diff --git a/debian/patches/bts832577-gcry-control.dpatch b/debian/patches/bts832577-gcry-control.dpatch
deleted file mode 100644
index 2c70e2a..0000000
--- a/debian/patches/bts832577-gcry-control.dpatch
+++ /dev/null
@@ -1,127 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## bts832577-gcry-control.dpatch by Florian Forster <octo@collectd.org>
-## and Sebastian Harl <tokkee@debian.org>
-##
-## DP: network plugin, libcollectdclient: Check return value of gcry_control().
-##
-## Upstream commits:
-## https://github.com/collectd/collectd/commit/8b4fed99
-## https://github.com/collectd/collectd/commit/262915c4
-## https://github.com/collectd/collectd/commit/a3000cbe
-## Upstream report:
-## https://github.com/collectd/collectd/issues/1665
-
-@DPATCH@
-
-diff a/src/libcollectdclient/network_buffer.c b/src/libcollectdclient/network_buffer.c
---- a/src/libcollectdclient/network_buffer.c
-+++ b/src/libcollectdclient/network_buffer.c
-@@ -131,12 +131,15 @@
-   need_init = 0;
- 
- #if HAVE_LIBGCRYPT
--  gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
-+  if (gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread))
-+    return (0);
- 
-   if (!gcry_check_version (GCRYPT_VERSION))
-     return (0);
- 
--  gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0);
-+  if (!gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0))
-+    return (0);
-+
-   gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
- 
-   result = 1;
-diff a/src/network.c b/src/network.c
---- a/src/network.c
-+++ b/src/network.c
-@@ -493,13 +493,15 @@
- } /* }}} int network_dispatch_notification */
- 
- #if HAVE_LIBGCRYPT
--static void network_init_gcrypt (void) /* {{{ */
-+static int network_init_gcrypt (void) /* {{{ */
- {
-+  gcry_error_t err;
-+
-   /* http://lists.gnupg.org/pipermail/gcrypt-devel/2003-August/000458.html
-    * Because you can't know in a library whether another library has
-    * already initialized the library */
-   if (gcry_control (GCRYCTL_ANY_INITIALIZATION_P))
--    return;
-+    return (0);
- 
-  /* http://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html
-   * To ensure thread-safety, it's important to set GCRYCTL_SET_THREAD_CBS
-@@ -508,11 +510,25 @@
-   * above doesn't count, as it doesn't implicitly initalize Libgcrypt.
-   *
-   * tl;dr: keep all these gry_* statements in this exact order please. */
--  gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
-+  err = gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
-+  if (err)
-+  {
-+    ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err));
-+    return (-1);
-+  }
-+
-   gcry_check_version (NULL);
--  gcry_control (GCRYCTL_INIT_SECMEM, 32768);
-+
-+  err = gcry_control (GCRYCTL_INIT_SECMEM, 32768);
-+  if (err)
-+  {
-+    ERROR ("network plugin: gcry_control (GCRYCTL_INIT_SECMEM) failed: %s", gcry_strerror (err));
-+    return (-1);
-+  }
-+
-   gcry_control (GCRYCTL_INITIALIZATION_FINISHED);
--} /* }}} void network_init_gcrypt */
-+  return (0);
-+} /* }}} int network_init_gcrypt */
- 
- static gcry_cipher_hd_t network_get_aes256_cypher (sockent_t *se, /* {{{ */
-     const void *iv, size_t iv_size, const char *username)
-@@ -2050,7 +2066,12 @@
- 	{
- 		if (se->data.client.security_level > SECURITY_LEVEL_NONE)
- 		{
--			network_init_gcrypt ();
-+			if (network_init_gcrypt () < 0)
-+			{
-+				ERROR ("network plugin: Cannot configure client socket with "
-+						"security: Failed to initialize crypto library.");
-+				return (-1);
-+			}
- 
- 			if ((se->data.client.username == NULL)
- 					|| (se->data.client.password == NULL))
-@@ -2070,7 +2091,12 @@
- 	{
- 		if (se->data.server.security_level > SECURITY_LEVEL_NONE)
- 		{
--			network_init_gcrypt ();
-+			if (network_init_gcrypt () < 0)
-+			{
-+				ERROR ("network plugin: Cannot configure server socket with "
-+						"security: Failed to initialize crypto library.");
-+				return (-1);
-+			}
- 
- 			if (se->data.server.auth_file == NULL)
- 			{
-@@ -3395,7 +3421,11 @@
- 	have_init = 1;
- 
- #if HAVE_LIBGCRYPT
--	network_init_gcrypt ();
-+	if (network_init_gcrypt () < 0)
-+	{
-+		ERROR ("network plugin: Failed to initialize crypto library.");
-+		return (-1);
-+	}
- #endif
- 
- 	if (network_config_stats != 0)
diff --git a/debian/patches/bts832577-gcry-control.patch b/debian/patches/bts832577-gcry-control.patch
new file mode 100644
index 0000000..14b803f
--- /dev/null
+++ b/debian/patches/bts832577-gcry-control.patch
@@ -0,0 +1,92 @@
+Description: network plugin: Don't abort() if gcrypt initialization failed.
+Author: Sebastian Harl <sh@tokkee.org>
+Origin: upstream,
+ commit:a3000cbe3a12163148a28c818269bbdabda1cf5c
+Bug-Debian: https://bugs.debian.org/832577
+Last-Update: 2016-07-28
+
+diff a/src/network.c b/src/network.c
+--- a/src/network.c
++++ b/src/network.c
+@@ -498,7 +498,7 @@
+ } /* }}} int network_dispatch_notification */
+ 
+ #if HAVE_LIBGCRYPT
+-static void network_init_gcrypt (void) /* {{{ */
++static int network_init_gcrypt (void) /* {{{ */
+ {
+   gcry_error_t err;
+ 
+@@ -506,7 +506,7 @@
+    * Because you can't know in a library whether another library has
+    * already initialized the library */
+   if (gcry_control (GCRYCTL_ANY_INITIALIZATION_P))
+-    return;
++    return (0);
+ 
+  /* http://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html
+   * To ensure thread-safety, it's important to set GCRYCTL_SET_THREAD_CBS
+@@ -520,7 +520,7 @@
+   if (err)
+   {
+     ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err));
+-    abort ();
++    return (-1);
+   }
+ # endif
+ 
+@@ -530,11 +530,11 @@
+   if (err)
+   {
+     ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err));
+-    abort ();
++    return (-1);
+   }
+ 
+   gcry_control (GCRYCTL_INITIALIZATION_FINISHED);
+-} /* }}} void network_init_gcrypt */
++} /* }}} int network_init_gcrypt */
+ 
+ static gcry_cipher_hd_t network_get_aes256_cypher (sockent_t *se, /* {{{ */
+     const void *iv, size_t iv_size, const char *username)
+@@ -2077,7 +2077,12 @@
+ 	{
+ 		if (se->data.client.security_level > SECURITY_LEVEL_NONE)
+ 		{
+-			network_init_gcrypt ();
++			if (network_init_gcrypt () < 0)
++			{
++				ERROR ("network plugin: Cannot configure client socket with "
++						"security: Failed to initialize crypto library.");
++				return (-1);
++			}
+ 
+ 			if ((se->data.client.username == NULL)
+ 					|| (se->data.client.password == NULL))
+@@ -2097,7 +2102,12 @@
+ 	{
+ 		if (se->data.server.security_level > SECURITY_LEVEL_NONE)
+ 		{
+-			network_init_gcrypt ();
++			if (network_init_gcrypt () < 0)
++			{
++				ERROR ("network plugin: Cannot configure server socket with "
++						"security: Failed to initialize crypto library.");
++				return (-1);
++			}
+ 
+ 			if (se->data.server.auth_file == NULL)
+ 			{
+@@ -3548,7 +3558,11 @@
+ 	have_init = 1;
+ 
+ #if HAVE_LIBGCRYPT
+-	network_init_gcrypt ();
++	if (network_init_gcrypt () < 0)
++	{
++		ERROR ("network plugin: Failed to initialize crypto library.");
++		return (-1);
++	}
+ #endif
+ 
+ 	if (network_config_stats != 0)