From eac2b137c79e212772114cd3bcc6637090fbf2ae Mon Sep 17 00:00:00 2001 From: Sebastian Harl Date: Thu, 28 Jul 2016 22:24:10 +0200 Subject: [PATCH] Update CVE-2016-6254 and bts832577-gcry-control patches for 5.4.1. --- debian/patches/CVE-2016-6254.dpatch | 6 +- debian/patches/bts832577-gcry-control.dpatch | 124 +++++++++++++++---- 2 files changed, 106 insertions(+), 24 deletions(-) diff --git a/debian/patches/CVE-2016-6254.dpatch b/debian/patches/CVE-2016-6254.dpatch index 46f5443..b466393 100644 --- a/debian/patches/CVE-2016-6254.dpatch +++ b/debian/patches/CVE-2016-6254.dpatch @@ -21,7 +21,7 @@ diff a/src/network.c b/src/network.c --- a/src/network.c +++ b/src/network.c -@@ -1392,6 +1392,7 @@ +@@ -1430,6 +1430,7 @@ printed_ignore_warning = 1; } buffer = ((char *) buffer) + pkg_length; @@ -29,7 +29,7 @@ diff a/src/network.c b/src/network.c continue; } #endif /* HAVE_LIBGCRYPT */ -@@ -1419,6 +1420,7 @@ +@@ -1457,6 +1458,7 @@ printed_ignore_warning = 1; } buffer = ((char *) buffer) + pkg_length; @@ -37,7 +37,7 @@ diff a/src/network.c b/src/network.c continue; } #endif /* HAVE_LIBGCRYPT */ -@@ -1560,6 +1562,7 @@ +@@ -1598,6 +1600,7 @@ DEBUG ("network plugin: parse_packet: Unknown part" " type: 0x%04hx", pkg_type); buffer = ((char *) buffer) + pkg_length; diff --git a/debian/patches/bts832577-gcry-control.dpatch b/debian/patches/bts832577-gcry-control.dpatch index 930e834..2c70e2a 100644 --- a/debian/patches/bts832577-gcry-control.dpatch +++ b/debian/patches/bts832577-gcry-control.dpatch @@ -1,45 +1,127 @@ #! /bin/sh /usr/share/dpatch/dpatch-run ## bts832577-gcry-control.dpatch by Florian Forster -## Backported to 5.1.0 by Sebastian Harl +## and Sebastian Harl ## ## DP: network plugin, libcollectdclient: Check return value of gcry_control(). ## -## Upstream commit: +## Upstream commits: ## https://github.com/collectd/collectd/commit/8b4fed99 +## https://github.com/collectd/collectd/commit/262915c4 +## https://github.com/collectd/collectd/commit/a3000cbe ## Upstream report: ## https://github.com/collectd/collectd/issues/1665 @DPATCH@ +diff a/src/libcollectdclient/network_buffer.c b/src/libcollectdclient/network_buffer.c +--- a/src/libcollectdclient/network_buffer.c ++++ b/src/libcollectdclient/network_buffer.c +@@ -131,12 +131,15 @@ + need_init = 0; + + #if HAVE_LIBGCRYPT +- gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); ++ if (gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread)) ++ return (0); + + if (!gcry_check_version (GCRYPT_VERSION)) + return (0); + +- gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0); ++ if (!gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0)) ++ return (0); ++ + gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + + result = 1; diff a/src/network.c b/src/network.c --- a/src/network.c +++ b/src/network.c -@@ -3342,6 +3342,7 @@ - static int network_init (void) +@@ -493,13 +493,15 @@ + } /* }}} int network_dispatch_notification */ + + #if HAVE_LIBGCRYPT +-static void network_init_gcrypt (void) /* {{{ */ ++static int network_init_gcrypt (void) /* {{{ */ { - static _Bool have_init = 0; -+ gcry_error_t err; ++ gcry_error_t err; ++ + /* http://lists.gnupg.org/pipermail/gcrypt-devel/2003-August/000458.html + * Because you can't know in a library whether another library has + * already initialized the library */ + if (gcry_control (GCRYCTL_ANY_INITIALIZATION_P)) +- return; ++ return (0); - /* Check if we were already initialized. If so, just return - there's - * nothing more to do (for now, that is). */ -@@ -3350,8 +3351,18 @@ + /* http://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html + * To ensure thread-safety, it's important to set GCRYCTL_SET_THREAD_CBS +@@ -508,11 +510,25 @@ + * above doesn't count, as it doesn't implicitly initalize Libgcrypt. + * + * tl;dr: keep all these gry_* statements in this exact order please. */ +- gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); ++ err = gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); ++ if (err) ++ { ++ ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err)); ++ return (-1); ++ } ++ + gcry_check_version (NULL); +- gcry_control (GCRYCTL_INIT_SECMEM, 32768); ++ ++ err = gcry_control (GCRYCTL_INIT_SECMEM, 32768); ++ if (err) ++ { ++ ERROR ("network plugin: gcry_control (GCRYCTL_INIT_SECMEM) failed: %s", gcry_strerror (err)); ++ return (-1); ++ } ++ + gcry_control (GCRYCTL_INITIALIZATION_FINISHED); +-} /* }}} void network_init_gcrypt */ ++ return (0); ++} /* }}} int network_init_gcrypt */ + + static gcry_cipher_hd_t network_get_aes256_cypher (sockent_t *se, /* {{{ */ + const void *iv, size_t iv_size, const char *username) +@@ -2050,7 +2066,12 @@ + { + if (se->data.client.security_level > SECURITY_LEVEL_NONE) + { +- network_init_gcrypt (); ++ if (network_init_gcrypt () < 0) ++ { ++ ERROR ("network plugin: Cannot configure client socket with " ++ "security: Failed to initialize crypto library."); ++ return (-1); ++ } + + if ((se->data.client.username == NULL) + || (se->data.client.password == NULL)) +@@ -2070,7 +2091,12 @@ + { + if (se->data.server.security_level > SECURITY_LEVEL_NONE) + { +- network_init_gcrypt (); ++ if (network_init_gcrypt () < 0) ++ { ++ ERROR ("network plugin: Cannot configure server socket with " ++ "security: Failed to initialize crypto library."); ++ return (-1); ++ } + + if (se->data.server.auth_file == NULL) + { +@@ -3395,7 +3421,11 @@ have_init = 1; #if HAVE_LIBGCRYPT -- gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); -- gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0); -+ err = gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); -+ if (err) -+ { -+ ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err)); -+ return (-1); -+ } -+ err = gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0); -+ if (err) +- network_init_gcrypt (); ++ if (network_init_gcrypt () < 0) + { -+ ERROR ("network plugin: gcry_control (GCRYCTL_INIT_SECMEM) failed: %s", gcry_strerror (err)); ++ ERROR ("network plugin: Failed to initialize crypto library."); + return (-1); + } - gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); #endif + if (network_config_stats != 0) -- 2.30.2