From: Martin Jansa <martin.jansa@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: Re: [PATCH] Security Advisory - collectd - CVE-2016-6254
Date: Wed, 7 Sep 2016 12:32:56 +0200 [thread overview]
Message-ID: <20160907103256.GF2645@jama> (raw)
In-Reply-To: <1473240851-11368-1-git-send-email-alexandru.moise@windriver.com>
[-- Attachment #1: Type: text/plain, Size: 4086 bytes --]
On Wed, Sep 07, 2016 at 12:34:11PM +0300, Alexandru Moise wrote:
> Heap-based buffer overflow in the parse_packet function in network.c in
> collectd before 5.4.3 and 5.x before 5.5.2 allows remote attackers to
> cause a denial of service (daemon crash) or possibly execute arbitrary
> code via a crafted network packet.
The summary should start with component name:
http://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
>
> Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
> ---
> .../collectd/collectd/CVE-2016-6254.patch | 55 ++++++++++++++++++++++
> .../recipes-extended/collectd/collectd_5.5.0.bb | 1 +
> 2 files changed, 56 insertions(+)
> create mode 100644 meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch
>
> diff --git a/meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch b/meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch
> new file mode 100644
> index 0000000..bc85b4c
> --- /dev/null
> +++ b/meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch
> @@ -0,0 +1,55 @@
> +From dd8483a4beb6f61521d8b32c726523bbea21cd92 Mon Sep 17 00:00:00 2001
> +From: Florian Forster <octo@collectd.org>
> +Date: Tue, 19 Jul 2016 10:00:37 +0200
> +Subject: [PATCH] network plugin: Fix heap overflow in parse_packet().
> +
> +Emilien Gaspar has identified a heap overflow in parse_packet(), the
> +function used by the network plugin to parse incoming network packets.
> +
> +This is a vulnerability in collectd, though the scope is not clear at
> +this point. At the very least specially crafted network packets can be
> +used to crash the daemon. We can't rule out a potential remote code
> +execution though.
> +
> +Fixes: CVE-2016-6254
> +
> +cherry picked from upstream commit b589096f
> +
> +Upstream Status: Backport
> +
> +Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
> +---
> + src/network.c | 3 +++
> + 1 file changed, 3 insertions(+)
> +
> +diff --git a/src/network.c b/src/network.c
> +index 551bd5c..cb979b2 100644
> +--- a/src/network.c
> ++++ b/src/network.c
> +@@ -1444,6 +1444,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
> + printed_ignore_warning = 1;
> + }
> + buffer = ((char *) buffer) + pkg_length;
> ++ buffer_size -= (size_t) pkg_length;
> + continue;
> + }
> + #endif /* HAVE_LIBGCRYPT */
> +@@ -1471,6 +1472,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
> + printed_ignore_warning = 1;
> + }
> + buffer = ((char *) buffer) + pkg_length;
> ++ buffer_size -= (size_t) pkg_length;
> + continue;
> + }
> + #endif /* HAVE_LIBGCRYPT */
> +@@ -1612,6 +1614,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
> + DEBUG ("network plugin: parse_packet: Unknown part"
> + " type: 0x%04hx", pkg_type);
> + buffer = ((char *) buffer) + pkg_length;
> ++ buffer_size -= (size_t) pkg_length;
> + }
> + } /* while (buffer_size > sizeof (part_header_t)) */
> +
> +--
> +2.7.4
> +
> diff --git a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
> index d7ba5b7..34edecf 100644
> --- a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
> +++ b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
> @@ -13,6 +13,7 @@ SRC_URI = "http://collectd.org/files/collectd-${PV}.tar.bz2 \
> file://collectd.service \
> file://0001-conditionally-check-libvirt.patch \
> file://0001-collectd-replace-deprecated-readdir_r-with-readdir.patch \
> + file://CVE-2016-6254.patch \
> "
> SRC_URI[md5sum] = "c39305ef5514b44238b0d31f77e29e6a"
> SRC_URI[sha256sum] = "847684cf5c10de1dc34145078af3fcf6e0d168ba98c14f1343b1062a4b569e88"
> --
> 2.7.4
>
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
--
Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 169 bytes --]
prev parent reply other threads:[~2016-09-07 10:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-07 9:34 [PATCH] Security Advisory - collectd - CVE-2016-6254 Alexandru Moise
2016-09-07 10:32 ` Martin Jansa [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160907103256.GF2645@jama \
--to=martin.jansa@gmail.com \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox