[oe] [PATCH] Security Advisory - collectd - CVE-2016-6254
Alexandru Moise
alexandru.moise at windriver.com
Wed Sep 7 09:34:11 UTC 2016
Heap-based buffer overflow in the parse_packet function in network.c in
collectd before 5.4.3 and 5.x before 5.5.2 allows remote attackers to
cause a denial of service (daemon crash) or possibly execute arbitrary
code via a crafted network packet.
Signed-off-by: Alexandru Moise <alexandru.moise at windriver.com>
---
.../collectd/collectd/CVE-2016-6254.patch | 55 ++++++++++++++++++++++
.../recipes-extended/collectd/collectd_5.5.0.bb | 1 +
2 files changed, 56 insertions(+)
create mode 100644 meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch
diff --git a/meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch b/meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch
new file mode 100644
index 0000000..bc85b4c
--- /dev/null
+++ b/meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch
@@ -0,0 +1,55 @@
+From dd8483a4beb6f61521d8b32c726523bbea21cd92 Mon Sep 17 00:00:00 2001
+From: Florian Forster <octo at collectd.org>
+Date: Tue, 19 Jul 2016 10:00:37 +0200
+Subject: [PATCH] network plugin: Fix heap overflow in parse_packet().
+
+Emilien Gaspar has identified a heap overflow in parse_packet(), the
+function used by the network plugin to parse incoming network packets.
+
+This is a vulnerability in collectd, though the scope is not clear at
+this point. At the very least specially crafted network packets can be
+used to crash the daemon. We can't rule out a potential remote code
+execution though.
+
+Fixes: CVE-2016-6254
+
+cherry picked from upstream commit b589096f
+
+Upstream Status: Backport
+
+Signed-off-by: Alexandru Moise <alexandru.moise at windriver.com>
+---
+ src/network.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/network.c b/src/network.c
+index 551bd5c..cb979b2 100644
+--- a/src/network.c
++++ b/src/network.c
+@@ -1444,6 +1444,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
+ printed_ignore_warning = 1;
+ }
+ buffer = ((char *) buffer) + pkg_length;
++ buffer_size -= (size_t) pkg_length;
+ continue;
+ }
+ #endif /* HAVE_LIBGCRYPT */
+@@ -1471,6 +1472,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
+ printed_ignore_warning = 1;
+ }
+ buffer = ((char *) buffer) + pkg_length;
++ buffer_size -= (size_t) pkg_length;
+ continue;
+ }
+ #endif /* HAVE_LIBGCRYPT */
+@@ -1612,6 +1614,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
+ DEBUG ("network plugin: parse_packet: Unknown part"
+ " type: 0x%04hx", pkg_type);
+ buffer = ((char *) buffer) + pkg_length;
++ buffer_size -= (size_t) pkg_length;
+ }
+ } /* while (buffer_size > sizeof (part_header_t)) */
+
+--
+2.7.4
+
diff --git a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
index d7ba5b7..34edecf 100644
--- a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
+++ b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://collectd.org/files/collectd-${PV}.tar.bz2 \
file://collectd.service \
file://0001-conditionally-check-libvirt.patch \
file://0001-collectd-replace-deprecated-readdir_r-with-readdir.patch \
+ file://CVE-2016-6254.patch \
"
SRC_URI[md5sum] = "c39305ef5514b44238b0d31f77e29e6a"
SRC_URI[sha256sum] = "847684cf5c10de1dc34145078af3fcf6e0d168ba98c14f1343b1062a4b569e88"
--
2.7.4
More information about the Openembedded-devel
mailing list