Openembedded Devel Discussions
 help / color / mirror / Atom feed
From: Martin Jansa <martin.jansa@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: Re: [PATCH] Security Advisory - collectd - CVE-2016-6254
Date: Wed, 7 Sep 2016 12:32:56 +0200	[thread overview]
Message-ID: <20160907103256.GF2645@jama> (raw)
In-Reply-To: <1473240851-11368-1-git-send-email-alexandru.moise@windriver.com>

[-- Attachment #1: Type: text/plain, Size: 4086 bytes --]

On Wed, Sep 07, 2016 at 12:34:11PM +0300, Alexandru Moise wrote:
> Heap-based buffer overflow in the parse_packet function in network.c in
> collectd before 5.4.3 and 5.x before 5.5.2 allows remote attackers to
> cause a denial of service (daemon crash) or possibly execute arbitrary
> code via a crafted network packet.

The summary should start with component name:
http://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines

> 
> Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
> ---
>  .../collectd/collectd/CVE-2016-6254.patch          | 55 ++++++++++++++++++++++
>  .../recipes-extended/collectd/collectd_5.5.0.bb    |  1 +
>  2 files changed, 56 insertions(+)
>  create mode 100644 meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch
> 
> diff --git a/meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch b/meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch
> new file mode 100644
> index 0000000..bc85b4c
> --- /dev/null
> +++ b/meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch
> @@ -0,0 +1,55 @@
> +From dd8483a4beb6f61521d8b32c726523bbea21cd92 Mon Sep 17 00:00:00 2001
> +From: Florian Forster <octo@collectd.org>
> +Date: Tue, 19 Jul 2016 10:00:37 +0200
> +Subject: [PATCH] network plugin: Fix heap overflow in parse_packet().
> +
> +Emilien Gaspar has identified a heap overflow in parse_packet(), the
> +function used by the network plugin to parse incoming network packets.
> +
> +This is a vulnerability in collectd, though the scope is not clear at
> +this point. At the very least specially crafted network packets can be
> +used to crash the daemon. We can't rule out a potential remote code
> +execution though.
> +
> +Fixes: CVE-2016-6254
> +
> +cherry picked from upstream commit b589096f
> +
> +Upstream Status: Backport
> +
> +Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
> +---
> + src/network.c | 3 +++
> + 1 file changed, 3 insertions(+)
> +
> +diff --git a/src/network.c b/src/network.c
> +index 551bd5c..cb979b2 100644
> +--- a/src/network.c
> ++++ b/src/network.c
> +@@ -1444,6 +1444,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
> + 				printed_ignore_warning = 1;
> + 			}
> + 			buffer = ((char *) buffer) + pkg_length;
> ++			buffer_size -= (size_t) pkg_length;
> + 			continue;
> + 		}
> + #endif /* HAVE_LIBGCRYPT */
> +@@ -1471,6 +1472,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
> + 				printed_ignore_warning = 1;
> + 			}
> + 			buffer = ((char *) buffer) + pkg_length;
> ++			buffer_size -= (size_t) pkg_length;
> + 			continue;
> + 		}
> + #endif /* HAVE_LIBGCRYPT */
> +@@ -1612,6 +1614,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
> + 			DEBUG ("network plugin: parse_packet: Unknown part"
> + 					" type: 0x%04hx", pkg_type);
> + 			buffer = ((char *) buffer) + pkg_length;
> ++			buffer_size -= (size_t) pkg_length;
> + 		}
> + 	} /* while (buffer_size > sizeof (part_header_t)) */
> + 
> +-- 
> +2.7.4
> +
> diff --git a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
> index d7ba5b7..34edecf 100644
> --- a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
> +++ b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
> @@ -13,6 +13,7 @@ SRC_URI = "http://collectd.org/files/collectd-${PV}.tar.bz2 \
>             file://collectd.service \
>             file://0001-conditionally-check-libvirt.patch \
>             file://0001-collectd-replace-deprecated-readdir_r-with-readdir.patch \
> +           file://CVE-2016-6254.patch \
>  "
>  SRC_URI[md5sum] = "c39305ef5514b44238b0d31f77e29e6a"
>  SRC_URI[sha256sum] = "847684cf5c10de1dc34145078af3fcf6e0d168ba98c14f1343b1062a4b569e88"
> -- 
> 2.7.4
> 
> -- 
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 169 bytes --]

      reply	other threads:[~2016-09-07 10:33 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-09-07  9:34 [PATCH] Security Advisory - collectd - CVE-2016-6254 Alexandru Moise
2016-09-07 10:32 ` Martin Jansa [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160907103256.GF2645@jama \
    --to=martin.jansa@gmail.com \
    --cc=openembedded-devel@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox