![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
| author | Sebastian Harl <sh@tokkee.org> | |
| Thu, 28 Jul 2016 19:26:00 +0000 (21:26 +0200) | ||
| committer | Sebastian Harl <sh@tokkee.org> | |
| Thu, 28 Jul 2016 19:26:00 +0000 (21:26 +0200) |
| debian/changelog | patch | blob | history | |
| debian/patches/00list | patch | blob | history | |
| debian/patches/CVE-2016-6254.dpatch | [new file with mode: 0644] | patch | blob |
| debian/patches/bts832577-gcry-control.dpatch | [new file with mode: 0644] | patch | blob |
diff --git a/debian/changelog b/debian/changelog
index ecdc1e81c4118caf6e2af228e75383b56e1bf0a9..031793ad0e4d5c2cfb8e1603bbfac3811eae1e0e 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
-- gregor herrmann <gregoa@debian.org> Sun, 26 May 2013 00:52:37 +0200
+collectd (5.1.0-3+deb7u1) wheezy-security; urgency=high
+
+ * debian/patches/CVE-2016-6254.dpatch: Fix heap overflow in the network
+ plugin. Emilien Gaspar has identified a heap overflow in parse_packet(),
+ the function used by the network plugin to parse incoming network packets.
+ Thanks to Florian Forster for reporting the bug in Debian.
+ (Closes: #832507, CVE-2016-6254)
+ * debian/patches/bts832577-gcry-control.dpatch: Fix improper usage of
+ gcry_control. A team of security researchers at Columbia University and
+ the University of Virginia discovered that GCrypt's gcry_control is
+ sometimes called without checking its return value for an error. This may
+ cause the program to be initialized without the desired, secure settings.
+ (Closes: #832577)
+
+ -- Sebastian Harl <tokkee@debian.org> Thu, 28 Jul 2016 20:52:12 +0200
+
collectd (5.1.0-3) unstable; urgency=low
* debian/patches/migrate-4-5-df.dpatch, debian/collectd-core.postinst:
diff --git a/debian/patches/00list b/debian/patches/00list
index f9939c617a79aa0a71b119a0b7e39be8dee43f9e..6a4b44179a27b0a0f010445fb8cc961c5fcf03d0 100644 (file)
--- a/debian/patches/00list
+++ b/debian/patches/00list
+CVE-2016-6254.dpatch
+bts832577-gcry-control.dpatch
rrd_filter_path.dpatch
collection_conf_path.dpatch
collection.cgi.dpatch
diff --git a/debian/patches/CVE-2016-6254.dpatch b/debian/patches/CVE-2016-6254.dpatch
--- /dev/null
@@ -0,0 +1,47 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2016-6254.dpatch by Florian Forster <octo@collectd.org>
+##
+## DP: network plugin: Fix heap overflow in parse_packet().
+## DP:
+## DP: Emilien Gaspar has identified a heap overflow in parse_packet(), the
+## DP: function used by the network plugin to parse incoming network packets.
+## DP:
+## DP: This is a vulnerability in collectd, though the scope is not clear at
+## DP: this point. At the very least specially crafted network packets can be
+## DP: used to crash the daemon. We can't rule out a potential remote code
+## DP: execution though.
+## DP:
+## DP: Fixes: CVE-2016-6254
+## DP:
+## DP: Upstream commit:
+## DP: https://github.com/collectd/collectd/commit/b589096
+
+@DPATCH@
+
+diff a/src/network.c b/src/network.c
+--- a/src/network.c
++++ b/src/network.c
+@@ -1392,6 +1392,7 @@
+ printed_ignore_warning = 1;
+ }
+ buffer = ((char *) buffer) + pkg_length;
++ buffer_size -= (size_t) pkg_length;
+ continue;
+ }
+ #endif /* HAVE_LIBGCRYPT */
+@@ -1419,6 +1420,7 @@
+ printed_ignore_warning = 1;
+ }
+ buffer = ((char *) buffer) + pkg_length;
++ buffer_size -= (size_t) pkg_length;
+ continue;
+ }
+ #endif /* HAVE_LIBGCRYPT */
+@@ -1560,6 +1562,7 @@
+ DEBUG ("network plugin: parse_packet: Unknown part"
+ " type: 0x%04hx", pkg_type);
+ buffer = ((char *) buffer) + pkg_length;
++ buffer_size -= (size_t) pkg_length;
+ }
+ } /* while (buffer_size > sizeof (part_header_t)) */
+
diff --git a/debian/patches/bts832577-gcry-control.dpatch b/debian/patches/bts832577-gcry-control.dpatch
--- /dev/null
@@ -0,0 +1,45 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## bts832577-gcry-control.dpatch by Florian Forster <octo@collectd.org>
+## Backported to 5.1.0 by Sebastian Harl <tokkee@debian.org>
+##
+## DP: network plugin, libcollectdclient: Check return value of gcry_control().
+##
+## Upstream commit:
+## https://github.com/collectd/collectd/commit/8b4fed99
+## Upstream report:
+## https://github.com/collectd/collectd/issues/1665
+
+@DPATCH@
+
+diff a/src/network.c b/src/network.c
+--- a/src/network.c
++++ b/src/network.c
+@@ -3342,6 +3342,7 @@
+ static int network_init (void)
+ {
+ static _Bool have_init = 0;
++ gcry_error_t err;
+
+ /* Check if we were already initialized. If so, just return - there's
+ * nothing more to do (for now, that is). */
+@@ -3350,8 +3351,18 @@
+ have_init = 1;
+
+ #if HAVE_LIBGCRYPT
+- gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
+- gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0);
++ err = gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
++ if (err)
++ {
++ ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err));
++ return (-1);
++ }
++ err = gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0);
++ if (err)
++ {
++ ERROR ("network plugin: gcry_control (GCRYCTL_INIT_SECMEM) failed: %s", gcry_strerror (err));
++ return (-1);
++ }
+ gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+ #endif
+