[PATCH] Security Advisory - collectd - CVE-2016-6254

From: Alexandru Moise <alexandru.moise@windriver.com>
To: <openembedded-devel@lists.openembedded.org>
Subject: [PATCH] Security Advisory - collectd - CVE-2016-6254
Date: Wed, 7 Sep 2016 12:34:11 +0300	[thread overview]
Message-ID: <1473240851-11368-1-git-send-email-alexandru.moise@windriver.com> (raw)

Heap-based buffer overflow in the parse_packet function in network.c in
collectd before 5.4.3 and 5.x before 5.5.2 allows remote attackers to
cause a denial of service (daemon crash) or possibly execute arbitrary
code via a crafted network packet.

Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
---
 .../collectd/collectd/CVE-2016-6254.patch          | 55 ++++++++++++++++++++++
 .../recipes-extended/collectd/collectd_5.5.0.bb    |  1 +
 2 files changed, 56 insertions(+)
 create mode 100644 meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch

diff --git a/meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch b/meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch
new file mode 100644
index 0000000..bc85b4c
--- /dev/null
+++ b/meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch
@@ -0,0 +1,55 @@
+From dd8483a4beb6f61521d8b32c726523bbea21cd92 Mon Sep 17 00:00:00 2001
+From: Florian Forster <octo@collectd.org>
+Date: Tue, 19 Jul 2016 10:00:37 +0200
+Subject: [PATCH] network plugin: Fix heap overflow in parse_packet().
+
+Emilien Gaspar has identified a heap overflow in parse_packet(), the
+function used by the network plugin to parse incoming network packets.
+
+This is a vulnerability in collectd, though the scope is not clear at
+this point. At the very least specially crafted network packets can be
+used to crash the daemon. We can't rule out a potential remote code
+execution though.
+
+Fixes: CVE-2016-6254
+
+cherry picked from upstream commit b589096f
+
+Upstream Status: Backport
+
+Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
+---
+ src/network.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/network.c b/src/network.c
+index 551bd5c..cb979b2 100644
+--- a/src/network.c
++++ b/src/network.c
+@@ -1444,6 +1444,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
+ 				printed_ignore_warning = 1;
+ 			}
+ 			buffer = ((char *) buffer) + pkg_length;
++			buffer_size -= (size_t) pkg_length;
+ 			continue;
+ 		}
+ #endif /* HAVE_LIBGCRYPT */
+@@ -1471,6 +1472,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
+ 				printed_ignore_warning = 1;
+ 			}
+ 			buffer = ((char *) buffer) + pkg_length;
++			buffer_size -= (size_t) pkg_length;
+ 			continue;
+ 		}
+ #endif /* HAVE_LIBGCRYPT */
+@@ -1612,6 +1614,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
+ 			DEBUG ("network plugin: parse_packet: Unknown part"
+ 					" type: 0x%04hx", pkg_type);
+ 			buffer = ((char *) buffer) + pkg_length;
++			buffer_size -= (size_t) pkg_length;
+ 		}
+ 	} /* while (buffer_size > sizeof (part_header_t)) */
+ 
+-- 
+2.7.4
+
diff --git a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
index d7ba5b7..34edecf 100644
--- a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
+++ b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://collectd.org/files/collectd-${PV}.tar.bz2 \
            file://collectd.service \
            file://0001-conditionally-check-libvirt.patch \
            file://0001-collectd-replace-deprecated-readdir_r-with-readdir.patch \
+           file://CVE-2016-6254.patch \
 "
 SRC_URI[md5sum] = "c39305ef5514b44238b0d31f77e29e6a"
 SRC_URI[sha256sum] = "847684cf5c10de1dc34145078af3fcf6e0d168ba98c14f1343b1062a4b569e88"
-- 
2.7.4


