From: Chris Lamb Date: Tue, 4 Apr 2017 14:45:15 +0000 (+0200) Subject: Fix an endless loop DoS vulnerability in parse_packet(). X-Git-Tag: collectd-5.1.0-3+deb7u3^0 X-Git-Url: https://git.tokkee.org/?a=commitdiff_plain;h=a05b0dcd448b4b2ce3526e3934aa521c602ba199;p=pkg-collectd.git Fix an endless loop DoS vulnerability in parse_packet(). When a correct "Signature part" is received by a Collectd instance configured without the AuthFile option, an endless loop occurs due to a missing pointer increment to the next unprocessed part. (Closes: #859494) --- diff --git a/debian/changelog b/debian/changelog index 9fdb411..792b53f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +collectd (5.1.0-3+deb7u3) wheezy-security; urgency=high + + * CVE-2017-7401: Fix an endless loop DoS vulnerability in parse_packet(). + When a correct "Signature part" is received by a Collectd instance + configured without the AuthFile option, an endless loop occurs due to a + missing pointer increment to the next unprocessed part. (Closes: #859494) + + -- Chris Lamb Tue, 04 Apr 2017 16:45:15 +0200 + collectd (5.1.0-3+deb7u2) wheezy-security; urgency=high * debian/patches/bts833013-gcry-init.dpatch: Fix initialization of diff --git a/debian/patches/CVE-2017-7401.dpatch b/debian/patches/CVE-2017-7401.dpatch new file mode 100644 index 0000000..09b0d9c --- /dev/null +++ b/debian/patches/CVE-2017-7401.dpatch @@ -0,0 +1,44 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2017-7401.dpatch by Chris Lamb +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' collectd-5.1.0~/src/network.c collectd-5.1.0/src/network.c +--- collectd-5.1.0~/src/network.c 2012-04-02 10:04:58.000000000 +0200 ++++ collectd-5.1.0/src/network.c 2017-04-04 17:18:08.901258385 +0200 +@@ -998,14 +998,6 @@ + buffer_len = *ret_buffer_len; + buffer_offset = 0; + +- if (se->data.server.userdb == NULL) +- { +- c_complain (LOG_NOTICE, &complain_no_users, +- "network plugin: Received signed network packet but can't verify it " +- "because no user DB has been configured. Will accept it."); +- return (0); +- } +- + /* Check if the buffer has enough data for this structure. */ + if (buffer_len <= PART_SIGNATURE_SHA256_SIZE) + return (-ENOMEM); +@@ -1023,6 +1015,18 @@ + return (-1); + } + ++ if (se->data.server.userdb == NULL) ++ { ++ c_complain (LOG_NOTICE, &complain_no_users, ++ "network plugin: Received signed network packet but can't verify it " ++ "because no user DB has been configured Will accept it."); ++ ++ *ret_buffer = buffer + pss_head_length; ++ *ret_buffer_len -= pss_head_length; ++ ++ return (0); ++ } ++ + /* Copy the hash. */ + BUFFER_READ (pss.hash, sizeof (pss.hash)); +