[oe] [meta-oe][PATCH] collectd: CVE-2017-7401
Zhixiong Chi
zhixiong.chi at windriver.com
Mon Apr 24 09:05:04 UTC 2017
Incorrect interaction of the parse_packet() and parse_part_sign_sha256() functions
in network.c in collectd 5.7.1 and earlier allows remote attackers to cause a
denial of service (infinite loop) of a collectd instance (configured with
"SecurityLevel None" and with empty "AuthFile" options) via a crafted UDP packet.
Backport upstream patch from https://github.com/collectd/collectd/
commit f6be4f9b49b949b379326c3d7002476e6ce4f211
Signed-off-by: Zhixiong Chi <zhixiong.chi at windriver.com>
---
.../collectd/collectd/collectd-CVE-2017-7401.patch | 54 ++++++++++++++++++++++
.../recipes-extended/collectd/collectd_5.5.0.bb | 1 +
2 files changed, 55 insertions(+)
create mode 100644 meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch
diff --git a/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch b/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch
new file mode 100644
index 0000000..9dc975e
--- /dev/null
+++ b/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch
@@ -0,0 +1,54 @@
+
+network plugin: Fix endless loop DOS in parse_packet()
+
+When correct 'Signature part' is received by Collectd, configured without
+AuthFile option, condition for endless loop occurs due to missing increase
+of pointer to next unprocessed part.
+
+This is a forward-port of #2233.
+
+Fixes: CVE-2017-7401
+Closes: #2174
+
+CVE: CVE-2017-7401
+
+Upstream-States: Backport
+
+Signed-off-by: Florian Forster <octo at collectd.org>
+
+diff --git a/src/network.c b/src/network.c
+--- a/src/network.c
++++ b/src/network.c
+@@ -1050,14 +1050,6 @@ static int parse_part_sign_sha256(sockent_t *se, /* {{{ */
+ buffer_len = *ret_buffer_len;
+ buffer_offset = 0;
+
+- if (se->data.server.userdb == NULL)
+- {
+- c_complain (LOG_NOTICE, &complain_no_users,
+- "network plugin: Received signed network packet but can't verify it "
+- "because no user DB has been configured. Will accept it.");
+- return (0);
+- }
+-
+ /* Check if the buffer has enough data for this structure. */
+ if (buffer_len <= PART_SIGNATURE_SHA256_SIZE)
+ return (-ENOMEM);
+@@ -1027,6 +1019,17 @@ static int parse_part_sign_sha256(sockent_t *se, /* {{{ */
+ return (-1);
+ }
+
++ if (se->data.server.userdb == NULL) {
++ c_complain(LOG_NOTICE, &complain_no_users,
++ "network plugin: Received signed network packet but can't verify it "
++ "because no user DB has been configured. Will accept it.");
++
++ *ret_buffer = buffer + pss_head_length;
++ *ret_buffer_len -= pss_head_length;
++
++ return (0);
++ }
++
+ /* Copy the hash. */
+ BUFFER_READ(pss.hash, sizeof(pss.hash));
+
diff --git a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
index 59732db..e325835 100644
--- a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
+++ b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
@@ -15,6 +15,7 @@ SRC_URI = "http://collectd.org/files/collectd-${PV}.tar.bz2 \
file://0001-collectd-replace-deprecated-readdir_r-with-readdir.patch \
file://CVE-2016-6254.patch \
file://0001-fix-to-build-with-glibc-2.25.patch \
+ file://collectd-CVE-2017-7401.patch \
"
SRC_URI[md5sum] = "c39305ef5514b44238b0d31f77e29e6a"
SRC_URI[sha256sum] = "847684cf5c10de1dc34145078af3fcf6e0d168ba98c14f1343b1062a4b569e88"
--
1.9.1
More information about the Openembedded-devel
mailing list