Re: Wheezy update of collectd?

[Sebastian Harl <tokkee@debian.org>]

Hi,

On Wed, Jul 27, 2016 at 10:40:13AM -0300, Lucas Kanashiro wrote:
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of collectd:
> https://security-tracker.debian.org/tracker/CVE-2016-6254

Wow, you guys are fast :-)

> But we want your opinion. Would you like to take care of this yourself?

I'm happy to take care of this myself. I'm already working on updates
for stable and unstable and was just about to reach out to you anyway.

Here's what I sent to the security team (who then pointed me to you for
wheezy):

On Wed, Jul 27, 2016 at 11:15:00AM +0200, Sebastian Harl wrote:
> I'm in the process of preparing security updates for collectd for the
> following issues:
> 
> https://bugs.debian.org/832507, CVE-2016-6254
> Heap overflow in the network plugin.
> Emilien Gaspar has identified a heap overflow in parse_packet(), the
> function used by the network plugin to parse incoming network packets.
> 
> The issue has been reported by private email to Florian Forster
> (collectd upstream maintainer). The CVE has not been published yet,
> except through the upstream commit and changelog:
> https://github.com/collectd/collectd/commit/b589096f907052b3a4da2b9ccc9b0e2e888dfc18
> https://collectd.org/news.shtml#news98
> 
> The scope of the vulnerability is not clear at this point. At the very
> least specially crafted network packets can be used to crash the daemon.
> We can't rule out a potential remote code execution.
> 
> https://bugs.debian.org/832577
> Improper usage of gcry_control in the network plugin.
> A team of security researchers at Columbia University and the University
> of Virginia discovered that GCrypt's gcry_control is sometimes called
> without checking its return value for an error. This may cause the
> program to be initialized without the desired, secure settings.
> 
> The issue has been reported via the upstream Github tracker:
> https://github.com/collectd/collectd/issues/1665
> 
> The upstream fixes can be found in these commits:
> https://github.com/collectd/collectd/commit/8b4fed9940e02138b7e273e56863df03d1a39ef7
> https://github.com/collectd/collectd/commit/a3000cbe3a12163148a28c818269bbdabda1cf5c
> (Changes to src/libcollectdclient/network_buffer.c only affect stable
> onwards but not oldstable.)
> 
> All versions in Debian, starting with 5.1.0-3 in oldstable, are affected
> by these issues.
> 
> I'm preparing updates for oldstable (wheezy), stable (jessie), and
> unstable.
> 
> Please find attached the debdiff for the wheezy source package. The
> other packages are still work in progress.
> 
> Do you want to see the final packages before upload?
> Does security.debian.org support source-only uploads?

Cheers,
Sebastian

-- 
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x2F1FFCC7 +++ http://tokkee.org/

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety.         -- Benjamin Franklin

diff -u collectd-5.1.0/debian/changelog collectd-5.1.0/debian/changelog
--- collectd-5.1.0/debian/changelog
+++ collectd-5.1.0/debian/changelog
@@ -1,3 +1,19 @@
+collectd (5.1.0-3+deb7u1) oldstable-security; urgency=high
+
+  * debian/patches/CVE-2016-6254.dpatch: Fix heap overflow in the network
+    plugin. Emilien Gaspar has identified a heap overflow in parse_packet(),
+    the function used by the network plugin to parse incoming network packets.
+    Thanks to Florian Forster for reporting the bug in Debian.
+    (Closes: #832507, CVE-2016-6254)
+  * debian/patches/bts832577-gcry-control.dpatch: Fix improper usage of
+    gcry_control. A team of security researchers at Columbia University and
+    the University of Virginia discovered that GCrypt's gcry_control is
+    sometimes called without checking its return value for an error. This may
+    cause the program to be initialized without the desired, secure settings.
+    (Closes: #832577)
+
+ -- Sebastian Harl <tokkee@debian.org>  Wed, 27 Jul 2016 10:14:42 +0200
+
 collectd (5.1.0-3) unstable; urgency=low
 
   * debian/patches/migrate-4-5-df.dpatch, debian/collectd-core.postinst:
diff -u collectd-5.1.0/debian/patches/00list collectd-5.1.0/debian/patches/00list
--- collectd-5.1.0/debian/patches/00list
+++ collectd-5.1.0/debian/patches/00list
@@ -1,3 +1,5 @@
+CVE-2016-6254.dpatch
+bts832577-gcry-control.dpatch
 rrd_filter_path.dpatch
 collection_conf_path.dpatch
 bts559801_plugin_find_fix.dpatch
only in patch2:
unchanged:
--- collectd-5.1.0.orig/debian/patches/CVE-2016-6254.dpatch
+++ collectd-5.1.0/debian/patches/CVE-2016-6254.dpatch
@@ -0,0 +1,47 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2016-6254.dpatch by Florian Forster <octo@collectd.org>
+##
+## DP: network plugin: Fix heap overflow in parse_packet().
+## DP:
+## DP: Emilien Gaspar has identified a heap overflow in parse_packet(), the
+## DP: function used by the network plugin to parse incoming network packets.
+## DP:
+## DP: This is a vulnerability in collectd, though the scope is not clear at
+## DP: this point. At the very least specially crafted network packets can be
+## DP: used to crash the daemon. We can't rule out a potential remote code
+## DP: execution though.
+## DP:
+## DP: Fixes: CVE-2016-6254
+## DP:
+## DP: Upstream commit:
+## DP: https://github.com/collectd/collectd/commit/b589096
+
+@DPATCH@
+
+diff a/src/network.c b/src/network.c
+--- a/src/network.c
++++ b/src/network.c
+@@ -1392,6 +1392,7 @@
+ 				printed_ignore_warning = 1;
+ 			}
+ 			buffer = ((char *) buffer) + pkg_length;
++			buffer_size -= (size_t) pkg_length;
+ 			continue;
+ 		}
+ #endif /* HAVE_LIBGCRYPT */
+@@ -1419,6 +1420,7 @@
+ 				printed_ignore_warning = 1;
+ 			}
+ 			buffer = ((char *) buffer) + pkg_length;
++			buffer_size -= (size_t) pkg_length;
+ 			continue;
+ 		}
+ #endif /* HAVE_LIBGCRYPT */
+@@ -1560,6 +1562,7 @@
+ 			DEBUG ("network plugin: parse_packet: Unknown part"
+ 					" type: 0x%04hx", pkg_type);
+ 			buffer = ((char *) buffer) + pkg_length;
++			buffer_size -= (size_t) pkg_length;
+ 		}
+ 	} /* while (buffer_size > sizeof (part_header_t)) */
+ 
only in patch2:
unchanged:
--- collectd-5.1.0.orig/debian/patches/bts832577-gcry-control.dpatch
+++ collectd-5.1.0/debian/patches/bts832577-gcry-control.dpatch
@@ -0,0 +1,45 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## bts832577-gcry-control.dpatch by Florian Forster <octo@collectd.org>
+## Backported to 5.1.0 by Sebastian Harl <tokkee@debian.org>
+##
+## DP: network plugin, libcollectdclient: Check return value of gcry_control().
+##
+## Upstream commit:
+## https://github.com/collectd/collectd/commit/8b4fed99
+## Upstream report:
+## https://github.com/collectd/collectd/issues/1665
+
+@DPATCH@
+
+diff a/src/network.c b/src/network.c
+--- a/src/network.c
++++ b/src/network.c
+@@ -3342,6 +3342,7 @@
+ static int network_init (void)
+ {
+ 	static _Bool have_init = 0;
++	gcry_error_t err;
+ 
+ 	/* Check if we were already initialized. If so, just return - there's
+ 	 * nothing more to do (for now, that is). */
+@@ -3350,8 +3351,18 @@
+ 	have_init = 1;
+ 
+ #if HAVE_LIBGCRYPT
+-	gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
+-	gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0);
++	err = gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
++	if (err)
++	{
++		ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err));
++		return (-1);
++	}
++	err = gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0);
++	if (err)
++	{
++		ERROR ("network plugin: gcry_control (GCRYCTL_INIT_SECMEM) failed: %s", gcry_strerror (err));
++		return (-1);
++	}
+ 	gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+ #endif
+

Attachment: signature.asc
Description: Digital signature