From 40f5ae198d887e656fb90f96105396c76ed145b4 Mon Sep 17 00:00:00 2001 From: Sebastian Harl Date: Thu, 28 Jul 2016 23:08:06 +0200 Subject: [PATCH] Update patches for 5.5.2. --- debian/changelog | 4 + debian/patches/CVE-2016-6254.dpatch | 47 ------- debian/patches/bts832577-gcry-control.dpatch | 127 ------------------- debian/patches/bts832577-gcry-control.patch | 92 ++++++++++++++ 4 files changed, 96 insertions(+), 174 deletions(-) delete mode 100644 debian/patches/CVE-2016-6254.dpatch delete mode 100644 debian/patches/bts832577-gcry-control.dpatch create mode 100644 debian/patches/bts832577-gcry-control.patch diff --git a/debian/changelog b/debian/changelog index 7edc974..84d0149 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,6 +10,10 @@ collectd (5.5.2-1) UNRELEASED; urgency=medium GCrypt's gcry_control is sometimes called without checking its return value for an error. This may cause the program to be initialized without the desired, secure settings. (Closes: #832577) + * debian/patches: + - bts832577-gcry-control.patch: Update for 5.5.2. Mostly part of the new + upstream release, except for: Don't abort() if gcrypt initialization + failed. -- Sebastian Harl Thu, 28 Jul 2016 22:56:36 +0200 diff --git a/debian/patches/CVE-2016-6254.dpatch b/debian/patches/CVE-2016-6254.dpatch deleted file mode 100644 index b466393..0000000 --- a/debian/patches/CVE-2016-6254.dpatch +++ /dev/null @@ -1,47 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## CVE-2016-6254.dpatch by Florian Forster -## -## DP: network plugin: Fix heap overflow in parse_packet(). -## DP: -## DP: Emilien Gaspar has identified a heap overflow in parse_packet(), the -## DP: function used by the network plugin to parse incoming network packets. -## DP: -## DP: This is a vulnerability in collectd, though the scope is not clear at -## DP: this point. At the very least specially crafted network packets can be -## DP: used to crash the daemon. We can't rule out a potential remote code -## DP: execution though. -## DP: -## DP: Fixes: CVE-2016-6254 -## DP: -## DP: Upstream commit: -## DP: https://github.com/collectd/collectd/commit/b589096 - -@DPATCH@ - -diff a/src/network.c b/src/network.c ---- a/src/network.c -+++ b/src/network.c -@@ -1430,6 +1430,7 @@ - printed_ignore_warning = 1; - } - buffer = ((char *) buffer) + pkg_length; -+ buffer_size -= (size_t) pkg_length; - continue; - } - #endif /* HAVE_LIBGCRYPT */ -@@ -1457,6 +1458,7 @@ - printed_ignore_warning = 1; - } - buffer = ((char *) buffer) + pkg_length; -+ buffer_size -= (size_t) pkg_length; - continue; - } - #endif /* HAVE_LIBGCRYPT */ -@@ -1598,6 +1600,7 @@ - DEBUG ("network plugin: parse_packet: Unknown part" - " type: 0x%04hx", pkg_type); - buffer = ((char *) buffer) + pkg_length; -+ buffer_size -= (size_t) pkg_length; - } - } /* while (buffer_size > sizeof (part_header_t)) */ - diff --git a/debian/patches/bts832577-gcry-control.dpatch b/debian/patches/bts832577-gcry-control.dpatch deleted file mode 100644 index 2c70e2a..0000000 --- a/debian/patches/bts832577-gcry-control.dpatch +++ /dev/null @@ -1,127 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## bts832577-gcry-control.dpatch by Florian Forster -## and Sebastian Harl -## -## DP: network plugin, libcollectdclient: Check return value of gcry_control(). -## -## Upstream commits: -## https://github.com/collectd/collectd/commit/8b4fed99 -## https://github.com/collectd/collectd/commit/262915c4 -## https://github.com/collectd/collectd/commit/a3000cbe -## Upstream report: -## https://github.com/collectd/collectd/issues/1665 - -@DPATCH@ - -diff a/src/libcollectdclient/network_buffer.c b/src/libcollectdclient/network_buffer.c ---- a/src/libcollectdclient/network_buffer.c -+++ b/src/libcollectdclient/network_buffer.c -@@ -131,12 +131,15 @@ - need_init = 0; - - #if HAVE_LIBGCRYPT -- gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); -+ if (gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread)) -+ return (0); - - if (!gcry_check_version (GCRYPT_VERSION)) - return (0); - -- gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0); -+ if (!gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0)) -+ return (0); -+ - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); - - result = 1; -diff a/src/network.c b/src/network.c ---- a/src/network.c -+++ b/src/network.c -@@ -493,13 +493,15 @@ - } /* }}} int network_dispatch_notification */ - - #if HAVE_LIBGCRYPT --static void network_init_gcrypt (void) /* {{{ */ -+static int network_init_gcrypt (void) /* {{{ */ - { -+ gcry_error_t err; -+ - /* http://lists.gnupg.org/pipermail/gcrypt-devel/2003-August/000458.html - * Because you can't know in a library whether another library has - * already initialized the library */ - if (gcry_control (GCRYCTL_ANY_INITIALIZATION_P)) -- return; -+ return (0); - - /* http://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html - * To ensure thread-safety, it's important to set GCRYCTL_SET_THREAD_CBS -@@ -508,11 +510,25 @@ - * above doesn't count, as it doesn't implicitly initalize Libgcrypt. - * - * tl;dr: keep all these gry_* statements in this exact order please. */ -- gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); -+ err = gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); -+ if (err) -+ { -+ ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err)); -+ return (-1); -+ } -+ - gcry_check_version (NULL); -- gcry_control (GCRYCTL_INIT_SECMEM, 32768); -+ -+ err = gcry_control (GCRYCTL_INIT_SECMEM, 32768); -+ if (err) -+ { -+ ERROR ("network plugin: gcry_control (GCRYCTL_INIT_SECMEM) failed: %s", gcry_strerror (err)); -+ return (-1); -+ } -+ - gcry_control (GCRYCTL_INITIALIZATION_FINISHED); --} /* }}} void network_init_gcrypt */ -+ return (0); -+} /* }}} int network_init_gcrypt */ - - static gcry_cipher_hd_t network_get_aes256_cypher (sockent_t *se, /* {{{ */ - const void *iv, size_t iv_size, const char *username) -@@ -2050,7 +2066,12 @@ - { - if (se->data.client.security_level > SECURITY_LEVEL_NONE) - { -- network_init_gcrypt (); -+ if (network_init_gcrypt () < 0) -+ { -+ ERROR ("network plugin: Cannot configure client socket with " -+ "security: Failed to initialize crypto library."); -+ return (-1); -+ } - - if ((se->data.client.username == NULL) - || (se->data.client.password == NULL)) -@@ -2070,7 +2091,12 @@ - { - if (se->data.server.security_level > SECURITY_LEVEL_NONE) - { -- network_init_gcrypt (); -+ if (network_init_gcrypt () < 0) -+ { -+ ERROR ("network plugin: Cannot configure server socket with " -+ "security: Failed to initialize crypto library."); -+ return (-1); -+ } - - if (se->data.server.auth_file == NULL) - { -@@ -3395,7 +3421,11 @@ - have_init = 1; - - #if HAVE_LIBGCRYPT -- network_init_gcrypt (); -+ if (network_init_gcrypt () < 0) -+ { -+ ERROR ("network plugin: Failed to initialize crypto library."); -+ return (-1); -+ } - #endif - - if (network_config_stats != 0) diff --git a/debian/patches/bts832577-gcry-control.patch b/debian/patches/bts832577-gcry-control.patch new file mode 100644 index 0000000..14b803f --- /dev/null +++ b/debian/patches/bts832577-gcry-control.patch @@ -0,0 +1,92 @@ +Description: network plugin: Don't abort() if gcrypt initialization failed. +Author: Sebastian Harl +Origin: upstream, + commit:a3000cbe3a12163148a28c818269bbdabda1cf5c +Bug-Debian: https://bugs.debian.org/832577 +Last-Update: 2016-07-28 + +diff a/src/network.c b/src/network.c +--- a/src/network.c ++++ b/src/network.c +@@ -498,7 +498,7 @@ + } /* }}} int network_dispatch_notification */ + + #if HAVE_LIBGCRYPT +-static void network_init_gcrypt (void) /* {{{ */ ++static int network_init_gcrypt (void) /* {{{ */ + { + gcry_error_t err; + +@@ -506,7 +506,7 @@ + * Because you can't know in a library whether another library has + * already initialized the library */ + if (gcry_control (GCRYCTL_ANY_INITIALIZATION_P)) +- return; ++ return (0); + + /* http://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html + * To ensure thread-safety, it's important to set GCRYCTL_SET_THREAD_CBS +@@ -520,7 +520,7 @@ + if (err) + { + ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err)); +- abort (); ++ return (-1); + } + # endif + +@@ -530,11 +530,11 @@ + if (err) + { + ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err)); +- abort (); ++ return (-1); + } + + gcry_control (GCRYCTL_INITIALIZATION_FINISHED); +-} /* }}} void network_init_gcrypt */ ++} /* }}} int network_init_gcrypt */ + + static gcry_cipher_hd_t network_get_aes256_cypher (sockent_t *se, /* {{{ */ + const void *iv, size_t iv_size, const char *username) +@@ -2077,7 +2077,12 @@ + { + if (se->data.client.security_level > SECURITY_LEVEL_NONE) + { +- network_init_gcrypt (); ++ if (network_init_gcrypt () < 0) ++ { ++ ERROR ("network plugin: Cannot configure client socket with " ++ "security: Failed to initialize crypto library."); ++ return (-1); ++ } + + if ((se->data.client.username == NULL) + || (se->data.client.password == NULL)) +@@ -2097,7 +2102,12 @@ + { + if (se->data.server.security_level > SECURITY_LEVEL_NONE) + { +- network_init_gcrypt (); ++ if (network_init_gcrypt () < 0) ++ { ++ ERROR ("network plugin: Cannot configure server socket with " ++ "security: Failed to initialize crypto library."); ++ return (-1); ++ } + + if (se->data.server.auth_file == NULL) + { +@@ -3548,7 +3558,11 @@ + have_init = 1; + + #if HAVE_LIBGCRYPT +- network_init_gcrypt (); ++ if (network_init_gcrypt () < 0) ++ { ++ ERROR ("network plugin: Failed to initialize crypto library."); ++ return (-1); ++ } + #endif + + if (network_config_stats != 0) -- 2.30.2