From: Sebastian Harl <sh@tokkee.org>
Date: Wed, 27 Jul 2016 08:20:37 +0000 (+0200)
Subject: patches/CVE-2016-6254.dpatch: Fix heap overflow in the network plugin.
X-Git-Tag: collectd-5.5.2-1~5^2~3^2~2
X-Git-Url: https://git.tokkee.org/?p=pkg-collectd.git;a=commitdiff_plain;h=ac4e97fc52177387a48f70c63fc834f841fb1027

patches/CVE-2016-6254.dpatch: Fix heap overflow in the network plugin.

Emilien Gaspar has identified a heap overflow in parse_packet(), the function
used by the network plugin to parse incoming network packets.

Thanks to Florian Forster for reporting the bug in Debian.
Closes: #832507, CVE-2016-6254
---

diff --git a/debian/changelog b/debian/changelog
index ba1e1d6..aa6a82c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+collectd (5.1.0-3+deb7u1) UNRELEASED; urgency=high
+
+  * debian/patches/CVE-2016-6254.dpatch: Fix heap overflow in the network
+    plugin. Emilien Gaspar has identified a heap overflow in parse_packet(),
+    the function used by the network plugin to parse incoming network packets.
+    Thanks to Florian Forster for reporting the bug in Debian.
+    (Closes: #832507, CVE-2016-6254)
+
+ -- Sebastian Harl <tokkee@debian.org>  Wed, 27 Jul 2016 10:14:42 +0200
+
 collectd (5.1.0-3) unstable; urgency=low
 
   * debian/patches/migrate-4-5-df.dpatch, debian/collectd-core.postinst:
diff --git a/debian/patches/00list b/debian/patches/00list
index 390f00f..5862f16 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -1,3 +1,4 @@
+CVE-2016-6254.dpatch
 rrd_filter_path.dpatch
 collection_conf_path.dpatch
 bts559801_plugin_find_fix.dpatch
diff --git a/debian/patches/CVE-2016-6254.dpatch b/debian/patches/CVE-2016-6254.dpatch
new file mode 100644
index 0000000..44cdc01
--- /dev/null
+++ b/debian/patches/CVE-2016-6254.dpatch
@@ -0,0 +1,45 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2016-6254.dpatch by Florian Forster <octo@collectd.org>
+##
+## DP: network plugin: Fix heap overflow in parse_packet().
+## DP:
+## DP: Emilien Gaspar has identified a heap overflow in parse_packet(), the
+## DP: function used by the network plugin to parse incoming network packets.
+## DP:
+## DP: This is a vulnerability in collectd, though the scope is not clear at
+## DP: this point. At the very least specially crafted network packets can be
+## DP: used to crash the daemon. We can't rule out a potential remote code
+## DP: execution though.
+## DP:
+## DP: Fixes: CVE-2016-6254
+## DP:
+## DP: Upstream commit:
+## DP: https://github.com/collectd/collectd/commit/b589096
+
+diff a/src/network.c b/src/network.c
+--- a/src/network.c
++++ b/src/network.c
+@@ -1392,6 +1392,7 @@
+ 				printed_ignore_warning = 1;
+ 			}
+ 			buffer = ((char *) buffer) + pkg_length;
++			buffer_size -= (size_t) pkg_length;
+ 			continue;
+ 		}
+ #endif /* HAVE_LIBGCRYPT */
+@@ -1419,6 +1420,7 @@
+ 				printed_ignore_warning = 1;
+ 			}
+ 			buffer = ((char *) buffer) + pkg_length;
++			buffer_size -= (size_t) pkg_length;
+ 			continue;
+ 		}
+ #endif /* HAVE_LIBGCRYPT */
+@@ -1560,6 +1562,7 @@
+ 			DEBUG ("network plugin: parse_packet: Unknown part"
+ 					" type: 0x%04hx", pkg_type);
+ 			buffer = ((char *) buffer) + pkg_length;
++			buffer_size -= (size_t) pkg_length;
+ 		}
+ 	} /* while (buffer_size > sizeof (part_header_t)) */
+