[meta-oe][PATCH] collectd: CVE-2017-7401

[meta-oe][PATCH] collectd: CVE-2017-7401

[Zhixiong Chi]

Incorrect interaction of the parse_packet() and parse_part_sign_sha256() functions
in network.c in collectd 5.7.1 and earlier allows remote attackers to cause a
denial of service (infinite loop) of a collectd instance (configured with
"SecurityLevel None" and with empty "AuthFile" options) via a crafted UDP packet.

Backport upstream patch from https://github.com/collectd/collectd/
commit f6be4f9b49b949b379326c3d7002476e6ce4f211

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
 .../collectd/collectd/collectd-CVE-2017-7401.patch | 54 ++++++++++++++++++++++
 .../recipes-extended/collectd/collectd_5.5.0.bb    |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch

diff --git a/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch b/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch
new file mode 100644
index 0000000..9dc975e
--- /dev/null
+++ b/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch
@@ -0,0 +1,54 @@
+
+network plugin: Fix endless loop DOS in parse_packet()
+
+When correct 'Signature part' is received by Collectd, configured without
+AuthFile option, condition for endless loop occurs due to missing increase
+of pointer to next unprocessed part.
+
+This is a forward-port of #2233.
+
+Fixes: CVE-2017-7401
+Closes: #2174
+
+CVE: CVE-2017-7401
+
+Upstream-States: Backport
+
+Signed-off-by: Florian Forster <octo@collectd.org>
+
+diff --git a/src/network.c b/src/network.c
+--- a/src/network.c
++++ b/src/network.c
+@@ -1050,14 +1050,6 @@ static int parse_part_sign_sha256(sockent_t *se, /* {{{ */
+   buffer_len = *ret_buffer_len;
+   buffer_offset = 0;
+ 
+-  if (se->data.server.userdb == NULL)
+-  {
+-    c_complain (LOG_NOTICE, &complain_no_users,
+-        "network plugin: Received signed network packet but can't verify it "
+-        "because no user DB has been configured. Will accept it.");
+-    return (0);
+-  }
+-
+   /* Check if the buffer has enough data for this structure. */
+   if (buffer_len <= PART_SIGNATURE_SHA256_SIZE)
+     return (-ENOMEM);
+@@ -1027,6 +1019,17 @@ static int parse_part_sign_sha256(sockent_t *se, /* {{{ */
+     return (-1);
+   }
+ 
++  if (se->data.server.userdb == NULL) {
++    c_complain(LOG_NOTICE, &complain_no_users,
++        "network plugin: Received signed network packet but can't verify it "
++        "because no user DB has been configured. Will accept it.");
++
++    *ret_buffer = buffer + pss_head_length;
++    *ret_buffer_len -= pss_head_length;
++
++    return (0);
++  }
++
+   /* Copy the hash. */
+   BUFFER_READ(pss.hash, sizeof(pss.hash));
+ 
diff --git a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
index 59732db..e325835 100644
--- a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
+++ b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
@@ -15,6 +15,7 @@ SRC_URI = "http://collectd.org/files/collectd-${PV}.tar.bz2 \
            file://0001-collectd-replace-deprecated-readdir_r-with-readdir.patch \
            file://CVE-2016-6254.patch \
            file://0001-fix-to-build-with-glibc-2.25.patch \
+           file://collectd-CVE-2017-7401.patch \
 "
 SRC_URI[md5sum] = "c39305ef5514b44238b0d31f77e29e6a"
 SRC_URI[sha256sum] = "847684cf5c10de1dc34145078af3fcf6e0d168ba98c14f1343b1062a4b569e88"
-- 
1.9.1

Re: [meta-oe][PATCH] collectd: CVE-2017-7401

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 4260 bytes --]

On Mon, Apr 24, 2017 at 05:05:04PM +0800, Zhixiong Chi wrote:
> Incorrect interaction of the parse_packet() and parse_part_sign_sha256() functions
> in network.c in collectd 5.7.1 and earlier allows remote attackers to cause a
> denial of service (infinite loop) of a collectd instance (configured with
> "SecurityLevel None" and with empty "AuthFile" options) via a crafted UDP packet.
> 
> Backport upstream patch from https://github.com/collectd/collectd/
> commit f6be4f9b49b949b379326c3d7002476e6ce4f211

There is already upgrade to 5.7.1 by khem in master-next:

commit e73fa36f014bef43b5036dc90ea0d6835d704473
Author: Khem Raj <raj.khem@gmail.com>
Date:   Sun Apr 23 22:20:47 2017 -0700

    collectd: Upgrade to 5.7.1

> 
> Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
> ---
>  .../collectd/collectd/collectd-CVE-2017-7401.patch | 54 ++++++++++++++++++++++
>  .../recipes-extended/collectd/collectd_5.5.0.bb    |  1 +
>  2 files changed, 55 insertions(+)
>  create mode 100644 meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch
> 
> diff --git a/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch b/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch
> new file mode 100644
> index 0000000..9dc975e
> --- /dev/null
> +++ b/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch
> @@ -0,0 +1,54 @@
> +
> +network plugin: Fix endless loop DOS in parse_packet()
> +
> +When correct 'Signature part' is received by Collectd, configured without
> +AuthFile option, condition for endless loop occurs due to missing increase
> +of pointer to next unprocessed part.
> +
> +This is a forward-port of #2233.
> +
> +Fixes: CVE-2017-7401
> +Closes: #2174
> +
> +CVE: CVE-2017-7401
> +
> +Upstream-States: Backport
> +
> +Signed-off-by: Florian Forster <octo@collectd.org>
> +
> +diff --git a/src/network.c b/src/network.c
> +--- a/src/network.c
> ++++ b/src/network.c
> +@@ -1050,14 +1050,6 @@ static int parse_part_sign_sha256(sockent_t *se, /* {{{ */
> +   buffer_len = *ret_buffer_len;
> +   buffer_offset = 0;
> + 
> +-  if (se->data.server.userdb == NULL)
> +-  {
> +-    c_complain (LOG_NOTICE, &complain_no_users,
> +-        "network plugin: Received signed network packet but can't verify it "
> +-        "because no user DB has been configured. Will accept it.");
> +-    return (0);
> +-  }
> +-
> +   /* Check if the buffer has enough data for this structure. */
> +   if (buffer_len <= PART_SIGNATURE_SHA256_SIZE)
> +     return (-ENOMEM);
> +@@ -1027,6 +1019,17 @@ static int parse_part_sign_sha256(sockent_t *se, /* {{{ */
> +     return (-1);
> +   }
> + 
> ++  if (se->data.server.userdb == NULL) {
> ++    c_complain(LOG_NOTICE, &complain_no_users,
> ++        "network plugin: Received signed network packet but can't verify it "
> ++        "because no user DB has been configured. Will accept it.");
> ++
> ++    *ret_buffer = buffer + pss_head_length;
> ++    *ret_buffer_len -= pss_head_length;
> ++
> ++    return (0);
> ++  }
> ++
> +   /* Copy the hash. */
> +   BUFFER_READ(pss.hash, sizeof(pss.hash));
> + 
> diff --git a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
> index 59732db..e325835 100644
> --- a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
> +++ b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
> @@ -15,6 +15,7 @@ SRC_URI = "http://collectd.org/files/collectd-${PV}.tar.bz2 \
>             file://0001-collectd-replace-deprecated-readdir_r-with-readdir.patch \
>             file://CVE-2016-6254.patch \
>             file://0001-fix-to-build-with-glibc-2.25.patch \
> +           file://collectd-CVE-2017-7401.patch \
>  "
>  SRC_URI[md5sum] = "c39305ef5514b44238b0d31f77e29e6a"
>  SRC_URI[sha256sum] = "847684cf5c10de1dc34145078af3fcf6e0d168ba98c14f1343b1062a4b569e88"
> -- 
> 1.9.1
> 
> -- 
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 201 bytes --]