From 96d473da965afd39097d8ba6feb4aaa7ed1c3b93 Mon Sep 17 00:00:00 2001 From: Sebastian Harl Date: Wed, 3 Aug 2016 22:59:41 +0200 Subject: [PATCH] patches/: Added bts833013-gcry-init.dpatch. Fix initialization of libgcrypt: Initialize the library before using any other functions to ensure that thread-safety is set up appropriately. This fixes potential crashes of the network plugin and a regression introduced in 5.1.0-3+deb7u1 which ultimately surfaced the issue. Thanks to Antoine Sirinelli for reporting this. Closes: #833013 --- debian/changelog | 11 +++ debian/patches/00list | 1 + debian/patches/bts833013-gcry-init.dpatch | 97 +++++++++++++++++++++++ 3 files changed, 109 insertions(+) create mode 100644 debian/patches/bts833013-gcry-init.dpatch diff --git a/debian/changelog b/debian/changelog index 6f83f95..9fdb411 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +collectd (5.1.0-3+deb7u2) wheezy-security; urgency=high + + * debian/patches/bts833013-gcry-init.dpatch: Fix initialization of + libgcrypt: Initialize the library before using any other functions to + ensure that thread-safety is set up appropriately. This fixes potential + crashes of the network plugin and a regression introduced in + 5.1.0-3+deb7u1 which ultimately surfaced the issue. Thanks to Antoine + Sirinelli for reporting this. (Closes: #833013) + + -- Sebastian Harl Wed, 03 Aug 2016 22:59:23 +0200 + collectd (5.1.0-3+deb7u1) wheezy-security; urgency=high * debian/patches/CVE-2016-6254.dpatch: Fix heap overflow in the network diff --git a/debian/patches/00list b/debian/patches/00list index 1e263d1..4701dab 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -1,5 +1,6 @@ CVE-2016-6254.dpatch bts832577-gcry-control.dpatch +bts833013-gcry-init.dpatch rrd_filter_path.dpatch collection_conf_path.dpatch bts559801_plugin_find_fix.dpatch diff --git a/debian/patches/bts833013-gcry-init.dpatch b/debian/patches/bts833013-gcry-init.dpatch new file mode 100644 index 0000000..844ceea --- /dev/null +++ b/debian/patches/bts833013-gcry-init.dpatch @@ -0,0 +1,97 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## bts833013-gcry-init.dpatch by Florian Forster +## Backported to 5.1.0 by Sebastian Harl +## Rebased on top of bts832577-gcry-control.dpatch +## +## DP: Make sure gcrypt is initialized before using any of its functions. +## DP: +## DP: @marekbecka found that gcrypt functionality is called during the +## DP: configuration phase, but the library is only initialized later during +## DP: the initialization phase. +## DP: +## DP: Upstream commit: +## DP: https://github.com/collectd/collectd/commit/0ec776a +## DP: Upstream report: +## DP: https://github.com/collectd/collectd/issues/273 + +@DPATCH@ + +diff a/src/network.c b/src/network.c +--- a/src/network.c ++++ b/src/network.c +@@ -476,6 +476,28 @@ + } /* }}} int network_dispatch_notification */ + + #if HAVE_LIBGCRYPT ++static void network_init_gcrypt (void) /* {{{ */ ++{ ++ gcry_error_t err; ++ ++ if (gcry_control (GCRYCTL_ANY_INITIALIZATION_P)) ++ return; ++ ++ err = gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); ++ if (err) ++ { ++ ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err)); ++ return (-1); ++ } ++ err = gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0); ++ if (err) ++ { ++ ERROR ("network plugin: gcry_control (GCRYCTL_INIT_SECMEM) failed: %s", gcry_strerror (err)); ++ return (-1); ++ } ++ gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); ++} /* }}} void network_init_gcrypt */ ++ + static gcry_cipher_hd_t network_get_aes256_cypher (sockent_t *se, /* {{{ */ + const void *iv, size_t iv_size, const char *username) + { +@@ -2011,6 +2033,8 @@ + { + if (se->data.client.security_level > SECURITY_LEVEL_NONE) + { ++ network_init_gcrypt (); ++ + if ((se->data.client.username == NULL) + || (se->data.client.password == NULL)) + { +@@ -2029,6 +2053,8 @@ + { + if (se->data.server.security_level > SECURITY_LEVEL_NONE) + { ++ network_init_gcrypt (); ++ + if (se->data.server.auth_file == NULL) + { + ERROR ("network plugin: Server socket with " +@@ -3345,7 +3371,6 @@ + static int network_init (void) + { + static _Bool have_init = 0; +- gcry_error_t err; + + /* Check if we were already initialized. If so, just return - there's + * nothing more to do (for now, that is). */ +@@ -3354,19 +3379,7 @@ + have_init = 1; + + #if HAVE_LIBGCRYPT +- err = gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); +- if (err) +- { +- ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err)); +- return (-1); +- } +- err = gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0); +- if (err) +- { +- ERROR ("network plugin: gcry_control (GCRYCTL_INIT_SECMEM) failed: %s", gcry_strerror (err)); +- return (-1); +- } +- gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); ++ network_init_gcrypt (); + #endif + + if (network_config_stats != 0) -- 2.30.2