From ac4e97fc52177387a48f70c63fc834f841fb1027 Mon Sep 17 00:00:00 2001 From: Sebastian Harl Date: Wed, 27 Jul 2016 10:20:37 +0200 Subject: [PATCH] patches/CVE-2016-6254.dpatch: Fix heap overflow in the network plugin. Emilien Gaspar has identified a heap overflow in parse_packet(), the function used by the network plugin to parse incoming network packets. Thanks to Florian Forster for reporting the bug in Debian. Closes: #832507, CVE-2016-6254 --- debian/changelog | 10 +++++++ debian/patches/00list | 1 + debian/patches/CVE-2016-6254.dpatch | 45 +++++++++++++++++++++++++++++ 3 files changed, 56 insertions(+) create mode 100644 debian/patches/CVE-2016-6254.dpatch diff --git a/debian/changelog b/debian/changelog index ba1e1d6..aa6a82c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +collectd (5.1.0-3+deb7u1) UNRELEASED; urgency=high + + * debian/patches/CVE-2016-6254.dpatch: Fix heap overflow in the network + plugin. Emilien Gaspar has identified a heap overflow in parse_packet(), + the function used by the network plugin to parse incoming network packets. + Thanks to Florian Forster for reporting the bug in Debian. + (Closes: #832507, CVE-2016-6254) + + -- Sebastian Harl Wed, 27 Jul 2016 10:14:42 +0200 + collectd (5.1.0-3) unstable; urgency=low * debian/patches/migrate-4-5-df.dpatch, debian/collectd-core.postinst: diff --git a/debian/patches/00list b/debian/patches/00list index 390f00f..5862f16 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -1,3 +1,4 @@ +CVE-2016-6254.dpatch rrd_filter_path.dpatch collection_conf_path.dpatch bts559801_plugin_find_fix.dpatch diff --git a/debian/patches/CVE-2016-6254.dpatch b/debian/patches/CVE-2016-6254.dpatch new file mode 100644 index 0000000..44cdc01 --- /dev/null +++ b/debian/patches/CVE-2016-6254.dpatch @@ -0,0 +1,45 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2016-6254.dpatch by Florian Forster +## +## DP: network plugin: Fix heap overflow in parse_packet(). +## DP: +## DP: Emilien Gaspar has identified a heap overflow in parse_packet(), the +## DP: function used by the network plugin to parse incoming network packets. +## DP: +## DP: This is a vulnerability in collectd, though the scope is not clear at +## DP: this point. At the very least specially crafted network packets can be +## DP: used to crash the daemon. We can't rule out a potential remote code +## DP: execution though. +## DP: +## DP: Fixes: CVE-2016-6254 +## DP: +## DP: Upstream commit: +## DP: https://github.com/collectd/collectd/commit/b589096 + +diff a/src/network.c b/src/network.c +--- a/src/network.c ++++ b/src/network.c +@@ -1392,6 +1392,7 @@ + printed_ignore_warning = 1; + } + buffer = ((char *) buffer) + pkg_length; ++ buffer_size -= (size_t) pkg_length; + continue; + } + #endif /* HAVE_LIBGCRYPT */ +@@ -1419,6 +1420,7 @@ + printed_ignore_warning = 1; + } + buffer = ((char *) buffer) + pkg_length; ++ buffer_size -= (size_t) pkg_length; + continue; + } + #endif /* HAVE_LIBGCRYPT */ +@@ -1560,6 +1562,7 @@ + DEBUG ("network plugin: parse_packet: Unknown part" + " type: 0x%04hx", pkg_type); + buffer = ((char *) buffer) + pkg_length; ++ buffer_size -= (size_t) pkg_length; + } + } /* while (buffer_size > sizeof (part_header_t)) */ + -- 2.30.2