From a05b0dcd448b4b2ce3526e3934aa521c602ba199 Mon Sep 17 00:00:00 2001
From: Chris Lamb <lamby@debian.org>
Date: Tue, 4 Apr 2017 16:45:15 +0200
Subject: [PATCH] Fix an endless loop DoS vulnerability in parse_packet().

When a correct "Signature part" is received by a Collectd instance
configured without the AuthFile option, an endless loop occurs due to a
missing pointer increment to the next unprocessed part. (Closes: #859494)
---
 debian/changelog                    |  9 ++++++
 debian/patches/CVE-2017-7401.dpatch | 44 +++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 debian/patches/CVE-2017-7401.dpatch

diff --git a/debian/changelog b/debian/changelog
index 9fdb411..792b53f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+collectd (5.1.0-3+deb7u3) wheezy-security; urgency=high
+
+  * CVE-2017-7401: Fix an endless loop DoS vulnerability in parse_packet().
+    When a correct "Signature part" is received by a Collectd instance
+    configured without the AuthFile option, an endless loop occurs due to a
+    missing pointer increment to the next unprocessed part. (Closes: #859494)
+
+ -- Chris Lamb <lamby@debian.org>  Tue, 04 Apr 2017 16:45:15 +0200
+
 collectd (5.1.0-3+deb7u2) wheezy-security; urgency=high
 
   * debian/patches/bts833013-gcry-init.dpatch: Fix initialization of
diff --git a/debian/patches/CVE-2017-7401.dpatch b/debian/patches/CVE-2017-7401.dpatch
new file mode 100644
index 0000000..09b0d9c
--- /dev/null
+++ b/debian/patches/CVE-2017-7401.dpatch
@@ -0,0 +1,44 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2017-7401.dpatch by Chris Lamb <lamby@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' collectd-5.1.0~/src/network.c collectd-5.1.0/src/network.c
+--- collectd-5.1.0~/src/network.c	2012-04-02 10:04:58.000000000 +0200
++++ collectd-5.1.0/src/network.c	2017-04-04 17:18:08.901258385 +0200
+@@ -998,14 +998,6 @@
+   buffer_len = *ret_buffer_len;
+   buffer_offset = 0;
+ 
+-  if (se->data.server.userdb == NULL)
+-  {
+-    c_complain (LOG_NOTICE, &complain_no_users,
+-        "network plugin: Received signed network packet but can't verify it "
+-        "because no user DB has been configured. Will accept it.");
+-    return (0);
+-  }
+-
+   /* Check if the buffer has enough data for this structure. */
+   if (buffer_len <= PART_SIGNATURE_SHA256_SIZE)
+     return (-ENOMEM);
+@@ -1023,6 +1015,18 @@
+     return (-1);
+   }
+ 
++  if (se->data.server.userdb == NULL)
++  {
++    c_complain (LOG_NOTICE, &complain_no_users,
++        "network plugin: Received signed network packet but can't verify it "
++        "because no user DB has been configured  Will accept it.");
++
++    *ret_buffer = buffer + pss_head_length;
++    *ret_buffer_len -= pss_head_length;
++
++    return (0);
++  }
++
+   /* Copy the hash. */
+   BUFFER_READ (pss.hash, sizeof (pss.hash));
+ 
-- 
2.30.2