Re: Wheezy update of collectd?

[Sebastian Harl <tokkee@debian.org>]

Hi,

On Thu, Jul 28, 2016 at 11:08:46AM -0300, Lucas Kanashiro wrote:
> On 07/27/2016 11:16 AM, Sebastian Harl wrote:
> > On Wed, Jul 27, 2016 at 04:14:25PM +0200, Sebastian Harl wrote:
> >> On Wed, Jul 27, 2016 at 10:40:13AM -0300, Lucas Kanashiro wrote:
> >>> But we want your opinion. Would you like to take care of this yourself?
> >> I'm happy to take care of this myself. I'm already working on updates
> >> for stable and unstable and was just about to reach out to you anyway.
> > I see that you already claimed the package in dla-needed. I'm happy to
> > take that over or do whatever makes most sense ;-) Let me know what
> > you'd prefer.
> 
> I claimed in dla-needed before your feedback, you can handle it. You
> just need to follow the LTS workflow [0].

Thanks. I updated dla-needed.

The fixed packages are ready for upload now. Please find the full
debdiff (source and binary) attached to this email. Note that the
(seemingly) added dependency on libxtables7 is a no-op. It's a virtual
package provided by iptables (which is a dependency already).
Apparently, there was some change after the original wheezy upload
that's causing this to now show up.

Similar, the new dependency on zlib1g shouldn't make a difference
either. The package has priority=required. Not sure why it's now showing
up in the dependencies but didn't previously.

I'll wait for your "Go" to actually upload the package.

Then, I'd go ahead to claim an DLA as documented. Should I wait for and
synchronize with the DSA or should I come up with my own text?

Thanks,
Sebastian

-- 
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x2F1FFCC7 +++ http://tokkee.org/

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety.         -- Benjamin Franklin

diff -u collectd-5.1.0/debian/changelog collectd-5.1.0/debian/changelog
--- collectd-5.1.0/debian/changelog
+++ collectd-5.1.0/debian/changelog
@@ -1,3 +1,19 @@
+collectd (5.1.0-3+deb7u1) wheezy-security; urgency=high
+
+  * debian/patches/CVE-2016-6254.dpatch: Fix heap overflow in the network
+    plugin. Emilien Gaspar has identified a heap overflow in parse_packet(),
+    the function used by the network plugin to parse incoming network packets.
+    Thanks to Florian Forster for reporting the bug in Debian.
+    (Closes: #832507, CVE-2016-6254)
+  * debian/patches/bts832577-gcry-control.dpatch: Fix improper usage of
+    gcry_control. A team of security researchers at Columbia University and
+    the University of Virginia discovered that GCrypt's gcry_control is
+    sometimes called without checking its return value for an error. This may
+    cause the program to be initialized without the desired, secure settings.
+    (Closes: #832577)
+
+ -- Sebastian Harl <tokkee@debian.org>  Thu, 28 Jul 2016 20:52:12 +0200
+
 collectd (5.1.0-3) unstable; urgency=low
 
   * debian/patches/migrate-4-5-df.dpatch, debian/collectd-core.postinst:
diff -u collectd-5.1.0/debian/patches/00list collectd-5.1.0/debian/patches/00list
--- collectd-5.1.0/debian/patches/00list
+++ collectd-5.1.0/debian/patches/00list
@@ -1,3 +1,5 @@
+CVE-2016-6254.dpatch
+bts832577-gcry-control.dpatch
 rrd_filter_path.dpatch
 collection_conf_path.dpatch
 bts559801_plugin_find_fix.dpatch
only in patch2:
unchanged:
--- collectd-5.1.0.orig/debian/patches/bts832577-gcry-control.dpatch
+++ collectd-5.1.0/debian/patches/bts832577-gcry-control.dpatch
@@ -0,0 +1,45 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## bts832577-gcry-control.dpatch by Florian Forster <octo@collectd.org>
+## Backported to 5.1.0 by Sebastian Harl <tokkee@debian.org>
+##
+## DP: network plugin, libcollectdclient: Check return value of gcry_control().
+##
+## Upstream commit:
+## https://github.com/collectd/collectd/commit/8b4fed99
+## Upstream report:
+## https://github.com/collectd/collectd/issues/1665
+
+@DPATCH@
+
+diff a/src/network.c b/src/network.c
+--- a/src/network.c
++++ b/src/network.c
+@@ -3342,6 +3342,7 @@
+ static int network_init (void)
+ {
+ 	static _Bool have_init = 0;
++	gcry_error_t err;
+ 
+ 	/* Check if we were already initialized. If so, just return - there's
+ 	 * nothing more to do (for now, that is). */
+@@ -3350,8 +3351,18 @@
+ 	have_init = 1;
+ 
+ #if HAVE_LIBGCRYPT
+-	gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
+-	gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0);
++	err = gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
++	if (err)
++	{
++		ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err));
++		return (-1);
++	}
++	err = gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0);
++	if (err)
++	{
++		ERROR ("network plugin: gcry_control (GCRYCTL_INIT_SECMEM) failed: %s", gcry_strerror (err));
++		return (-1);
++	}
+ 	gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+ #endif
+ 
only in patch2:
unchanged:
--- collectd-5.1.0.orig/debian/patches/CVE-2016-6254.dpatch
+++ collectd-5.1.0/debian/patches/CVE-2016-6254.dpatch
@@ -0,0 +1,47 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2016-6254.dpatch by Florian Forster <octo@collectd.org>
+##
+## DP: network plugin: Fix heap overflow in parse_packet().
+## DP:
+## DP: Emilien Gaspar has identified a heap overflow in parse_packet(), the
+## DP: function used by the network plugin to parse incoming network packets.
+## DP:
+## DP: This is a vulnerability in collectd, though the scope is not clear at
+## DP: this point. At the very least specially crafted network packets can be
+## DP: used to crash the daemon. We can't rule out a potential remote code
+## DP: execution though.
+## DP:
+## DP: Fixes: CVE-2016-6254
+## DP:
+## DP: Upstream commit:
+## DP: https://github.com/collectd/collectd/commit/b589096
+
+@DPATCH@
+
+diff a/src/network.c b/src/network.c
+--- a/src/network.c
++++ b/src/network.c
+@@ -1392,6 +1392,7 @@
+ 				printed_ignore_warning = 1;
+ 			}
+ 			buffer = ((char *) buffer) + pkg_length;
++			buffer_size -= (size_t) pkg_length;
+ 			continue;
+ 		}
+ #endif /* HAVE_LIBGCRYPT */
+@@ -1419,6 +1420,7 @@
+ 				printed_ignore_warning = 1;
+ 			}
+ 			buffer = ((char *) buffer) + pkg_length;
++			buffer_size -= (size_t) pkg_length;
+ 			continue;
+ 		}
+ #endif /* HAVE_LIBGCRYPT */
+@@ -1560,6 +1562,7 @@
+ 			DEBUG ("network plugin: parse_packet: Unknown part"
+ 					" type: 0x%04hx", pkg_type);
+ 			buffer = ((char *) buffer) + pkg_length;
++			buffer_size -= (size_t) pkg_length;
+ 		}
+ 	} /* while (buffer_size > sizeof (part_header_t)) */
+ 

debdiff wheezy/collectd_5.1.0-3_amd64.deb collectd_5.1.0-3+deb7u1_amd64.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: collectd-core, iptables, libc6 (>= 2.4), librrd4 (>= [-1.3.0)-] {+1.3.0), libxtables7+}
Recommends: libc6 (>= 2.7), libcurl3-gnutls (>= 7.16.2), libdbi1 (>= 0.8.4), libdbus-1-3 (>= 1.0.2), libesmtp6, libgcrypt11 (>= 1.4.5), libgdk-pixbuf2.0-0 (>= 2.22.0), libglib2.0-0 (>= 2.12.0), libhal1 (>= 0.5.8.1), libmemcached10, libmodbus5 (>= 3.0.2), libmysqlclient18 (>= 5.5.24+dfsg-1), libnotify4 (>= 0.7.0), libopenipmi0, liboping0 (>= 0.3.3), libpcap0.8 (>= 0.9.8), libperl5.14 (>= 5.14.2), libpq5, libprotobuf-c0 (>= 0.10), libpython2.7 (>= 2.7), librabbitmq0 (>= 0.0.1.hg216), librrd4 (>= 1.4~rc2), libsensors4 (>= 1:3.0.0), libsnmp15 (>= 5.4.3~dfsg), libssl1.0.0 (>= 1.0.0), libtokyotyrant3, libupsclient1 (>= 2.4.1), libvarnishapi1 (>= 3.0.0), libvirt0 (>= 0.3.2), libxml2 (>= 2.7.4), libyajl2 (>= [-2.0.4)-] {+2.0.4), zlib1g (>= 1:1.1.4)+}
Version: [-5.1.0-3-] {+5.1.0-3+deb7u1+}

debdiff wheezy/collectd-core_5.1.0-3_amd64.deb collectd-core_5.1.0-3+deb7u1_amd64.deb
[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .deb but not in first
-------------------------------------
-rw-r--r--  root/root   /usr/share/doc/collectd-core/README.Debian.plugins.gz

Files in first .deb but not in second
-------------------------------------
-rw-r--r--  root/root   /usr/share/doc/collectd-core/README.Debian.plugins

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: iptables, libc6 (>= 2.4), libltdl7 (>= 2.4.2), {+libxtables7,+} debconf (>= 0.5) | debconf-2.0
Installed-Size: [-2728-] {+2726+}
Suggests: collectd-dev, librrds-perl, liburi-perl, libhtml-parser-perl, libregexp-common-perl, libconfig-general-perl, httpd-cgi, apache2, apcupsd, bind9, hddtemp, ipvsadm, lm-sensors, mbmon, memcached, mysql-server, nginx, notification-daemon, nut, openvpn, olsrd, pdns-server, postgresql, time-daemon, libc6 (>= 2.7), libcurl3-gnutls (>= 7.16.2), libdbi1 (>= 0.8.4), libdbus-1-3 (>= 1.0.2), libesmtp6, libgcrypt11 (>= 1.4.5), libgdk-pixbuf2.0-0 (>= 2.22.0), libglib2.0-0 (>= 2.12.0), libhal1 (>= 0.5.8.1), libmemcached10, libmodbus5 (>= 3.0.2), libmysqlclient18 (>= 5.5.24+dfsg-1), libnotify4 (>= 0.7.0), libopenipmi0, liboping0 (>= 0.3.3), libpcap0.8 (>= 0.9.8), libperl5.14 (>= 5.14.2), libpq5, libprotobuf-c0 (>= 0.10), libpython2.7 (>= 2.7), librabbitmq0 (>= 0.0.1.hg216), librrd4 (>= 1.4~rc2), libsensors4 (>= 1:3.0.0), libsnmp15 (>= 5.4.3~dfsg), libssl1.0.0 (>= 1.0.0), libtokyotyrant3, libupsclient1 (>= 2.4.1), libvarnishapi1 (>= 3.0.0), libvirt0 (>= 0.3.2), libxml2 (>= 2.7.4), libyajl2 (>= [-2.0.4)-] {+2.0.4), zlib1g (>= 1:1.1.4)+}
Version: [-5.1.0-3-] {+5.1.0-3+deb7u1+}

debdiff wheezy/collectd-dbg_5.1.0-3_amd64.deb collectd-dbg_5.1.0-3+deb7u1_amd64.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: collectd-core (= [-5.1.0-3)-] {+5.1.0-3+deb7u1)+}
Recommends: collectd-utils (= [-5.1.0-3),-] {+5.1.0-3+deb7u1),+} libcollectdclient0 (= [-5.1.0-3)-] {+5.1.0-3+deb7u1)+}
Version: [-5.1.0-3-] {+5.1.0-3+deb7u1+}

debdiff wheezy/collectd-dev_5.1.0-3_all.deb collectd-dev_5.1.0-3+deb7u1_all.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: collectd-core (>= [-5.1.0-3),-] {+5.1.0-3+deb7u1),+} collectd-core (<< 5.2~)
Version: [-5.1.0-3-] {+5.1.0-3+deb7u1+}

debdiff wheezy/collectd-utils_5.1.0-3_amd64.deb collectd-utils_5.1.0-3+deb7u1_amd64.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: iptables, libc6 (>= 2.4), libcollectdclient0 (>= [-5.1.0)-] {+5.1.0), libxtables7+}
Version: [-5.1.0-3-] {+5.1.0-3+deb7u1+}

debdiff wheezy/libcollectdclient0_5.1.0-3_amd64.deb libcollectdclient0_5.1.0-3+deb7u1_amd64.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: iptables, libc6 (>= [-2.4)-] {+2.4), libxtables7+}
Version: [-5.1.0-3-] {+5.1.0-3+deb7u1+}

debdiff wheezy/libcollectdclient-dev_5.1.0-3_amd64.deb libcollectdclient-dev_5.1.0-3+deb7u1_amd64.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: libcollectdclient0 (= [-5.1.0-3)-] {+5.1.0-3+deb7u1)+}
Version: [-5.1.0-3-] {+5.1.0-3+deb7u1+}

Attachment: signature.asc
Description: Digital signature