* [meta-oe][PATCH] collectd: CVE-2017-7401
@ 2017-04-24 9:05 Zhixiong Chi
2017-04-24 9:22 ` Martin Jansa
0 siblings, 1 reply; 2+ messages in thread
From: Zhixiong Chi @ 2017-04-24 9:05 UTC (permalink / raw)
To: openembedded-devel
Incorrect interaction of the parse_packet() and parse_part_sign_sha256() functions
in network.c in collectd 5.7.1 and earlier allows remote attackers to cause a
denial of service (infinite loop) of a collectd instance (configured with
"SecurityLevel None" and with empty "AuthFile" options) via a crafted UDP packet.
Backport upstream patch from https://github.com/collectd/collectd/
commit f6be4f9b49b949b379326c3d7002476e6ce4f211
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
.../collectd/collectd/collectd-CVE-2017-7401.patch | 54 ++++++++++++++++++++++
.../recipes-extended/collectd/collectd_5.5.0.bb | 1 +
2 files changed, 55 insertions(+)
create mode 100644 meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch
diff --git a/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch b/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch
new file mode 100644
index 0000000..9dc975e
--- /dev/null
+++ b/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch
@@ -0,0 +1,54 @@
+
+network plugin: Fix endless loop DOS in parse_packet()
+
+When correct 'Signature part' is received by Collectd, configured without
+AuthFile option, condition for endless loop occurs due to missing increase
+of pointer to next unprocessed part.
+
+This is a forward-port of #2233.
+
+Fixes: CVE-2017-7401
+Closes: #2174
+
+CVE: CVE-2017-7401
+
+Upstream-States: Backport
+
+Signed-off-by: Florian Forster <octo@collectd.org>
+
+diff --git a/src/network.c b/src/network.c
+--- a/src/network.c
++++ b/src/network.c
+@@ -1050,14 +1050,6 @@ static int parse_part_sign_sha256(sockent_t *se, /* {{{ */
+ buffer_len = *ret_buffer_len;
+ buffer_offset = 0;
+
+- if (se->data.server.userdb == NULL)
+- {
+- c_complain (LOG_NOTICE, &complain_no_users,
+- "network plugin: Received signed network packet but can't verify it "
+- "because no user DB has been configured. Will accept it.");
+- return (0);
+- }
+-
+ /* Check if the buffer has enough data for this structure. */
+ if (buffer_len <= PART_SIGNATURE_SHA256_SIZE)
+ return (-ENOMEM);
+@@ -1027,6 +1019,17 @@ static int parse_part_sign_sha256(sockent_t *se, /* {{{ */
+ return (-1);
+ }
+
++ if (se->data.server.userdb == NULL) {
++ c_complain(LOG_NOTICE, &complain_no_users,
++ "network plugin: Received signed network packet but can't verify it "
++ "because no user DB has been configured. Will accept it.");
++
++ *ret_buffer = buffer + pss_head_length;
++ *ret_buffer_len -= pss_head_length;
++
++ return (0);
++ }
++
+ /* Copy the hash. */
+ BUFFER_READ(pss.hash, sizeof(pss.hash));
+
diff --git a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
index 59732db..e325835 100644
--- a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
+++ b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
@@ -15,6 +15,7 @@ SRC_URI = "http://collectd.org/files/collectd-${PV}.tar.bz2 \
file://0001-collectd-replace-deprecated-readdir_r-with-readdir.patch \
file://CVE-2016-6254.patch \
file://0001-fix-to-build-with-glibc-2.25.patch \
+ file://collectd-CVE-2017-7401.patch \
"
SRC_URI[md5sum] = "c39305ef5514b44238b0d31f77e29e6a"
SRC_URI[sha256sum] = "847684cf5c10de1dc34145078af3fcf6e0d168ba98c14f1343b1062a4b569e88"
--
1.9.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [meta-oe][PATCH] collectd: CVE-2017-7401
2017-04-24 9:05 [meta-oe][PATCH] collectd: CVE-2017-7401 Zhixiong Chi
@ 2017-04-24 9:22 ` Martin Jansa
0 siblings, 0 replies; 2+ messages in thread
From: Martin Jansa @ 2017-04-24 9:22 UTC (permalink / raw)
To: Zhixiong Chi; +Cc: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 4260 bytes --]
On Mon, Apr 24, 2017 at 05:05:04PM +0800, Zhixiong Chi wrote:
> Incorrect interaction of the parse_packet() and parse_part_sign_sha256() functions
> in network.c in collectd 5.7.1 and earlier allows remote attackers to cause a
> denial of service (infinite loop) of a collectd instance (configured with
> "SecurityLevel None" and with empty "AuthFile" options) via a crafted UDP packet.
>
> Backport upstream patch from https://github.com/collectd/collectd/
> commit f6be4f9b49b949b379326c3d7002476e6ce4f211
There is already upgrade to 5.7.1 by khem in master-next:
commit e73fa36f014bef43b5036dc90ea0d6835d704473
Author: Khem Raj <raj.khem@gmail.com>
Date: Sun Apr 23 22:20:47 2017 -0700
collectd: Upgrade to 5.7.1
>
> Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
> ---
> .../collectd/collectd/collectd-CVE-2017-7401.patch | 54 ++++++++++++++++++++++
> .../recipes-extended/collectd/collectd_5.5.0.bb | 1 +
> 2 files changed, 55 insertions(+)
> create mode 100644 meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch
>
> diff --git a/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch b/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch
> new file mode 100644
> index 0000000..9dc975e
> --- /dev/null
> +++ b/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch
> @@ -0,0 +1,54 @@
> +
> +network plugin: Fix endless loop DOS in parse_packet()
> +
> +When correct 'Signature part' is received by Collectd, configured without
> +AuthFile option, condition for endless loop occurs due to missing increase
> +of pointer to next unprocessed part.
> +
> +This is a forward-port of #2233.
> +
> +Fixes: CVE-2017-7401
> +Closes: #2174
> +
> +CVE: CVE-2017-7401
> +
> +Upstream-States: Backport
> +
> +Signed-off-by: Florian Forster <octo@collectd.org>
> +
> +diff --git a/src/network.c b/src/network.c
> +--- a/src/network.c
> ++++ b/src/network.c
> +@@ -1050,14 +1050,6 @@ static int parse_part_sign_sha256(sockent_t *se, /* {{{ */
> + buffer_len = *ret_buffer_len;
> + buffer_offset = 0;
> +
> +- if (se->data.server.userdb == NULL)
> +- {
> +- c_complain (LOG_NOTICE, &complain_no_users,
> +- "network plugin: Received signed network packet but can't verify it "
> +- "because no user DB has been configured. Will accept it.");
> +- return (0);
> +- }
> +-
> + /* Check if the buffer has enough data for this structure. */
> + if (buffer_len <= PART_SIGNATURE_SHA256_SIZE)
> + return (-ENOMEM);
> +@@ -1027,6 +1019,17 @@ static int parse_part_sign_sha256(sockent_t *se, /* {{{ */
> + return (-1);
> + }
> +
> ++ if (se->data.server.userdb == NULL) {
> ++ c_complain(LOG_NOTICE, &complain_no_users,
> ++ "network plugin: Received signed network packet but can't verify it "
> ++ "because no user DB has been configured. Will accept it.");
> ++
> ++ *ret_buffer = buffer + pss_head_length;
> ++ *ret_buffer_len -= pss_head_length;
> ++
> ++ return (0);
> ++ }
> ++
> + /* Copy the hash. */
> + BUFFER_READ(pss.hash, sizeof(pss.hash));
> +
> diff --git a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
> index 59732db..e325835 100644
> --- a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
> +++ b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
> @@ -15,6 +15,7 @@ SRC_URI = "http://collectd.org/files/collectd-${PV}.tar.bz2 \
> file://0001-collectd-replace-deprecated-readdir_r-with-readdir.patch \
> file://CVE-2016-6254.patch \
> file://0001-fix-to-build-with-glibc-2.25.patch \
> + file://collectd-CVE-2017-7401.patch \
> "
> SRC_URI[md5sum] = "c39305ef5514b44238b0d31f77e29e6a"
> SRC_URI[sha256sum] = "847684cf5c10de1dc34145078af3fcf6e0d168ba98c14f1343b1062a4b569e88"
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
--
Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 201 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-04-24 9:21 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-24 9:05 [meta-oe][PATCH] collectd: CVE-2017-7401 Zhixiong Chi
2017-04-24 9:22 ` Martin Jansa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.