![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 20f1d82)
raw | patch | inline | side by side (parent: 20f1d82)
| author | Sebastian Harl <sh@tokkee.org> | |
| Thu, 28 Jul 2016 21:08:06 +0000 (23:08 +0200) | ||
| committer | Sebastian Harl <sh@tokkee.org> | |
| Thu, 28 Jul 2016 21:08:06 +0000 (23:08 +0200) |
| debian/changelog | patch | blob | history | |
| debian/patches/CVE-2016-6254.dpatch | [deleted file] | patch | blob | history |
| debian/patches/bts832577-gcry-control.dpatch | [deleted file] | patch | blob | history |
| debian/patches/bts832577-gcry-control.patch | [new file with mode: 0644] | patch | blob |
diff --git a/debian/changelog b/debian/changelog
index 7edc974b48982af1671184cc1b2a5f7080cff1fa..84d0149393a2d06212ae0d4493ab519222b6e6c3 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
GCrypt's gcry_control is sometimes called without checking its return
value for an error. This may cause the program to be initialized without
the desired, secure settings. (Closes: #832577)
+ * debian/patches:
+ - bts832577-gcry-control.patch: Update for 5.5.2. Mostly part of the new
+ upstream release, except for: Don't abort() if gcrypt initialization
+ failed.
-- Sebastian Harl <tokkee@debian.org> Thu, 28 Jul 2016 22:56:36 +0200
diff --git a/debian/patches/CVE-2016-6254.dpatch b/debian/patches/CVE-2016-6254.dpatch
+++ /dev/null
@@ -1,47 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## CVE-2016-6254.dpatch by Florian Forster <octo@collectd.org>
-##
-## DP: network plugin: Fix heap overflow in parse_packet().
-## DP:
-## DP: Emilien Gaspar has identified a heap overflow in parse_packet(), the
-## DP: function used by the network plugin to parse incoming network packets.
-## DP:
-## DP: This is a vulnerability in collectd, though the scope is not clear at
-## DP: this point. At the very least specially crafted network packets can be
-## DP: used to crash the daemon. We can't rule out a potential remote code
-## DP: execution though.
-## DP:
-## DP: Fixes: CVE-2016-6254
-## DP:
-## DP: Upstream commit:
-## DP: https://github.com/collectd/collectd/commit/b589096
-
-@DPATCH@
-
-diff a/src/network.c b/src/network.c
---- a/src/network.c
-+++ b/src/network.c
-@@ -1430,6 +1430,7 @@
- printed_ignore_warning = 1;
- }
- buffer = ((char *) buffer) + pkg_length;
-+ buffer_size -= (size_t) pkg_length;
- continue;
- }
- #endif /* HAVE_LIBGCRYPT */
-@@ -1457,6 +1458,7 @@
- printed_ignore_warning = 1;
- }
- buffer = ((char *) buffer) + pkg_length;
-+ buffer_size -= (size_t) pkg_length;
- continue;
- }
- #endif /* HAVE_LIBGCRYPT */
-@@ -1598,6 +1600,7 @@
- DEBUG ("network plugin: parse_packet: Unknown part"
- " type: 0x%04hx", pkg_type);
- buffer = ((char *) buffer) + pkg_length;
-+ buffer_size -= (size_t) pkg_length;
- }
- } /* while (buffer_size > sizeof (part_header_t)) */
-
diff --git a/debian/patches/bts832577-gcry-control.dpatch b/debian/patches/bts832577-gcry-control.dpatch
+++ /dev/null
@@ -1,127 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## bts832577-gcry-control.dpatch by Florian Forster <octo@collectd.org>
-## and Sebastian Harl <tokkee@debian.org>
-##
-## DP: network plugin, libcollectdclient: Check return value of gcry_control().
-##
-## Upstream commits:
-## https://github.com/collectd/collectd/commit/8b4fed99
-## https://github.com/collectd/collectd/commit/262915c4
-## https://github.com/collectd/collectd/commit/a3000cbe
-## Upstream report:
-## https://github.com/collectd/collectd/issues/1665
-
-@DPATCH@
-
-diff a/src/libcollectdclient/network_buffer.c b/src/libcollectdclient/network_buffer.c
---- a/src/libcollectdclient/network_buffer.c
-+++ b/src/libcollectdclient/network_buffer.c
-@@ -131,12 +131,15 @@
- need_init = 0;
-
- #if HAVE_LIBGCRYPT
-- gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
-+ if (gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread))
-+ return (0);
-
- if (!gcry_check_version (GCRYPT_VERSION))
- return (0);
-
-- gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0);
-+ if (!gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0))
-+ return (0);
-+
- gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
-
- result = 1;
-diff a/src/network.c b/src/network.c
---- a/src/network.c
-+++ b/src/network.c
-@@ -493,13 +493,15 @@
- } /* }}} int network_dispatch_notification */
-
- #if HAVE_LIBGCRYPT
--static void network_init_gcrypt (void) /* {{{ */
-+static int network_init_gcrypt (void) /* {{{ */
- {
-+ gcry_error_t err;
-+
- /* http://lists.gnupg.org/pipermail/gcrypt-devel/2003-August/000458.html
- * Because you can't know in a library whether another library has
- * already initialized the library */
- if (gcry_control (GCRYCTL_ANY_INITIALIZATION_P))
-- return;
-+ return (0);
-
- /* http://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html
- * To ensure thread-safety, it's important to set GCRYCTL_SET_THREAD_CBS
-@@ -508,11 +510,25 @@
- * above doesn't count, as it doesn't implicitly initalize Libgcrypt.
- *
- * tl;dr: keep all these gry_* statements in this exact order please. */
-- gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
-+ err = gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
-+ if (err)
-+ {
-+ ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err));
-+ return (-1);
-+ }
-+
- gcry_check_version (NULL);
-- gcry_control (GCRYCTL_INIT_SECMEM, 32768);
-+
-+ err = gcry_control (GCRYCTL_INIT_SECMEM, 32768);
-+ if (err)
-+ {
-+ ERROR ("network plugin: gcry_control (GCRYCTL_INIT_SECMEM) failed: %s", gcry_strerror (err));
-+ return (-1);
-+ }
-+
- gcry_control (GCRYCTL_INITIALIZATION_FINISHED);
--} /* }}} void network_init_gcrypt */
-+ return (0);
-+} /* }}} int network_init_gcrypt */
-
- static gcry_cipher_hd_t network_get_aes256_cypher (sockent_t *se, /* {{{ */
- const void *iv, size_t iv_size, const char *username)
-@@ -2050,7 +2066,12 @@
- {
- if (se->data.client.security_level > SECURITY_LEVEL_NONE)
- {
-- network_init_gcrypt ();
-+ if (network_init_gcrypt () < 0)
-+ {
-+ ERROR ("network plugin: Cannot configure client socket with "
-+ "security: Failed to initialize crypto library.");
-+ return (-1);
-+ }
-
- if ((se->data.client.username == NULL)
- || (se->data.client.password == NULL))
-@@ -2070,7 +2091,12 @@
- {
- if (se->data.server.security_level > SECURITY_LEVEL_NONE)
- {
-- network_init_gcrypt ();
-+ if (network_init_gcrypt () < 0)
-+ {
-+ ERROR ("network plugin: Cannot configure server socket with "
-+ "security: Failed to initialize crypto library.");
-+ return (-1);
-+ }
-
- if (se->data.server.auth_file == NULL)
- {
-@@ -3395,7 +3421,11 @@
- have_init = 1;
-
- #if HAVE_LIBGCRYPT
-- network_init_gcrypt ();
-+ if (network_init_gcrypt () < 0)
-+ {
-+ ERROR ("network plugin: Failed to initialize crypto library.");
-+ return (-1);
-+ }
- #endif
-
- if (network_config_stats != 0)
diff --git a/debian/patches/bts832577-gcry-control.patch b/debian/patches/bts832577-gcry-control.patch
--- /dev/null
@@ -0,0 +1,92 @@
+Description: network plugin: Don't abort() if gcrypt initialization failed.
+Author: Sebastian Harl <sh@tokkee.org>
+Origin: upstream,
+ commit:a3000cbe3a12163148a28c818269bbdabda1cf5c
+Bug-Debian: https://bugs.debian.org/832577
+Last-Update: 2016-07-28
+
+diff a/src/network.c b/src/network.c
+--- a/src/network.c
++++ b/src/network.c
+@@ -498,7 +498,7 @@
+ } /* }}} int network_dispatch_notification */
+
+ #if HAVE_LIBGCRYPT
+-static void network_init_gcrypt (void) /* {{{ */
++static int network_init_gcrypt (void) /* {{{ */
+ {
+ gcry_error_t err;
+
+@@ -506,7 +506,7 @@
+ * Because you can't know in a library whether another library has
+ * already initialized the library */
+ if (gcry_control (GCRYCTL_ANY_INITIALIZATION_P))
+- return;
++ return (0);
+
+ /* http://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html
+ * To ensure thread-safety, it's important to set GCRYCTL_SET_THREAD_CBS
+@@ -520,7 +520,7 @@
+ if (err)
+ {
+ ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err));
+- abort ();
++ return (-1);
+ }
+ # endif
+
+@@ -530,11 +530,11 @@
+ if (err)
+ {
+ ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err));
+- abort ();
++ return (-1);
+ }
+
+ gcry_control (GCRYCTL_INITIALIZATION_FINISHED);
+-} /* }}} void network_init_gcrypt */
++} /* }}} int network_init_gcrypt */
+
+ static gcry_cipher_hd_t network_get_aes256_cypher (sockent_t *se, /* {{{ */
+ const void *iv, size_t iv_size, const char *username)
+@@ -2077,7 +2077,12 @@
+ {
+ if (se->data.client.security_level > SECURITY_LEVEL_NONE)
+ {
+- network_init_gcrypt ();
++ if (network_init_gcrypt () < 0)
++ {
++ ERROR ("network plugin: Cannot configure client socket with "
++ "security: Failed to initialize crypto library.");
++ return (-1);
++ }
+
+ if ((se->data.client.username == NULL)
+ || (se->data.client.password == NULL))
+@@ -2097,7 +2102,12 @@
+ {
+ if (se->data.server.security_level > SECURITY_LEVEL_NONE)
+ {
+- network_init_gcrypt ();
++ if (network_init_gcrypt () < 0)
++ {
++ ERROR ("network plugin: Cannot configure server socket with "
++ "security: Failed to initialize crypto library.");
++ return (-1);
++ }
+
+ if (se->data.server.auth_file == NULL)
+ {
+@@ -3548,7 +3558,11 @@
+ have_init = 1;
+
+ #if HAVE_LIBGCRYPT
+- network_init_gcrypt ();
++ if (network_init_gcrypt () < 0)
++ {
++ ERROR ("network plugin: Failed to initialize crypto library.");
++ return (-1);
++ }
+ #endif
+
+ if (network_config_stats != 0)