[oe] [meta-oe][PATCH] collectd: CVE-2017-7401

Martin Jansa martin.jansa at gmail.com
Mon Apr 24 09:22:02 UTC 2017 

On Mon, Apr 24, 2017 at 05:05:04PM +0800, Zhixiong Chi wrote:
> Incorrect interaction of the parse_packet() and parse_part_sign_sha256() functions
> in network.c in collectd 5.7.1 and earlier allows remote attackers to cause a
> denial of service (infinite loop) of a collectd instance (configured with
> "SecurityLevel None" and with empty "AuthFile" options) via a crafted UDP packet.
> 
> Backport upstream patch from https://github.com/collectd/collectd/
> commit f6be4f9b49b949b379326c3d7002476e6ce4f211

There is already upgrade to 5.7.1 by khem in master-next:

commit e73fa36f014bef43b5036dc90ea0d6835d704473
Author: Khem Raj <raj.khem at gmail.com>
Date:   Sun Apr 23 22:20:47 2017 -0700

    collectd: Upgrade to 5.7.1

> 
> Signed-off-by: Zhixiong Chi <zhixiong.chi at windriver.com>
> ---
>  .../collectd/collectd/collectd-CVE-2017-7401.patch | 54 ++++++++++++++++++++++
>  .../recipes-extended/collectd/collectd_5.5.0.bb    |  1 +
>  2 files changed, 55 insertions(+)
>  create mode 100644 meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch
> 
> diff --git a/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch b/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch
> new file mode 100644
> index 0000000..9dc975e
> --- /dev/null
> +++ b/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch
> @@ -0,0 +1,54 @@
> +
> +network plugin: Fix endless loop DOS in parse_packet()
> +
> +When correct 'Signature part' is received by Collectd, configured without
> +AuthFile option, condition for endless loop occurs due to missing increase
> +of pointer to next unprocessed part.
> +
> +This is a forward-port of #2233.
> +
> +Fixes: CVE-2017-7401
> +Closes: #2174
> +
> +CVE: CVE-2017-7401
> +
> +Upstream-States: Backport
> +
> +Signed-off-by: Florian Forster <octo at collectd.org>
> +
> +diff --git a/src/network.c b/src/network.c
> +--- a/src/network.c
> ++++ b/src/network.c
> +@@ -1050,14 +1050,6 @@ static int parse_part_sign_sha256(sockent_t *se, /* {{{ */
> +   buffer_len = *ret_buffer_len;
> +   buffer_offset = 0;
> + 
> +-  if (se->data.server.userdb == NULL)
> +-  {
> +-    c_complain (LOG_NOTICE, &complain_no_users,
> +-        "network plugin: Received signed network packet but can't verify it "
> +-        "because no user DB has been configured. Will accept it.");
> +-    return (0);
> +-  }
> +-
> +   /* Check if the buffer has enough data for this structure. */
> +   if (buffer_len <= PART_SIGNATURE_SHA256_SIZE)
> +     return (-ENOMEM);
> +@@ -1027,6 +1019,17 @@ static int parse_part_sign_sha256(sockent_t *se, /* {{{ */
> +     return (-1);
> +   }
> + 
> ++  if (se->data.server.userdb == NULL) {
> ++    c_complain(LOG_NOTICE, &complain_no_users,
> ++        "network plugin: Received signed network packet but can't verify it "
> ++        "because no user DB has been configured. Will accept it.");
> ++
> ++    *ret_buffer = buffer + pss_head_length;
> ++    *ret_buffer_len -= pss_head_length;
> ++
> ++    return (0);
> ++  }
> ++
> +   /* Copy the hash. */
> +   BUFFER_READ(pss.hash, sizeof(pss.hash));
> + 
> diff --git a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
> index 59732db..e325835 100644
> --- a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
> +++ b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
> @@ -15,6 +15,7 @@ SRC_URI = "http://collectd.org/files/collectd-${PV}.tar.bz2 \
>             file://0001-collectd-replace-deprecated-readdir_r-with-readdir.patch \
>             file://CVE-2016-6254.patch \
>             file://0001-fix-to-build-with-glibc-2.25.patch \
> +           file://collectd-CVE-2017-7401.patch \
>  "
>  SRC_URI[md5sum] = "c39305ef5514b44238b0d31f77e29e6a"
>  SRC_URI[sha256sum] = "847684cf5c10de1dc34145078af3fcf6e0d168ba98c14f1343b1062a4b569e88"
> -- 
> 1.9.1
> 
> -- 
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa at gmail.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Digital signature
URL: <http://lists.openembedded.org/pipermail/openembedded-devel/attachments/20170424/dc488021/attachment-0002.sig>

More information about the Openembedded-devel mailing list