Re: Wheezy update of collectd?

To: Lucas Kanashiro <kanashiro@debian.org>
Cc: debian-lts@lists.debian.org, Florian Forster <octo@collectd.org>, Marc Fournier <marc@bl.uem.li>, Emilien Gaspar <gapz@dud-t.org>
Subject: Re: Wheezy update of collectd?
From: Sebastian Harl <tokkee@debian.org>
Date: Thu, 4 Aug 2016 07:59:10 +0200
Message-id: <[🔎] 20160804055910.GE25504@chough.tokkee.org>
In-reply-to: <[🔎] 20160803131402.GD25504@chough.tokkee.org>
References: <c34f7347-fb38-593a-25e1-7aebc291202d@debian.org> <20160727141425.GG23177@chough.tokkee.org> <20160727141634.GH23177@chough.tokkee.org> <174e94da-bfb9-ec4d-8431-5dcbafafcaf7@debian.org> <20160728200254.GJ23177@chough.tokkee.org> <18d58875-2c8b-35e5-3cfd-ef23c73692e7@debian.org> <686b2842-96db-d38e-aade-52105481354d@debian.org> <[🔎] 20160803131402.GD25504@chough.tokkee.org>

On Wed, Aug 03, 2016 at 03:14:02PM +0200, Sebastian Harl wrote:
> On Fri, Jul 29, 2016 at 09:43:39AM -0300, Lucas Kanashiro wrote:
> > On 07/28/2016 05:55 PM, Lucas Kanashiro wrote:
> > > On 07/28/2016 05:02 PM, Sebastian Harl wrote:
> > >> Thanks. I updated dla-needed.
> > >>
> > >> The fixed packages are ready for upload now. Please find the full
> > >> debdiff (source and binary) attached to this email. Note that the
> > >> (seemingly) added dependency on libxtables7 is a no-op. It's a virtual
> > >> package provided by iptables (which is a dependency already).
> > >> Apparently, there was some change after the original wheezy upload
> > >> that's causing this to now show up.
> > >>
> > >> Similar, the new dependency on zlib1g shouldn't make a difference
> > >> either. The package has priority=required. Not sure why it's now showing
> > >> up in the dependencies but didn't previously.
> > >>
> > >> I'll wait for your "Go" to actually upload the package.
> > > Sure, until tomorrow I'll try to test it and give you a feedback.
> > >
> > 
> > LGTM, I rebuilt the package and tested the upgrade in a clean wheezy
> > chroot and worked well. I used the package a little bit and seems good.
> > I did not try to exploit the vulnerabilities.
> 
> It turns out this introduced a regression in Wheezy (#833013) which, in
> turn, uncovered a somewhat serious underlying issue. I'll go ahead to
> prepare a +deb7u2 upload to fix that issue (which will then also fix the
> regression).

I uploaded the fix as 5.1.0-3+deb7u2. Debdiff attached for reference.

Cheers,
Sebastian

-- 
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x2F1FFCC7 +++ http://tokkee.org/

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety.         -- Benjamin Franklin

diff -u collectd-5.1.0/debian/changelog collectd-5.1.0/debian/changelog
--- collectd-5.1.0/debian/changelog
+++ collectd-5.1.0/debian/changelog
@@ -1,3 +1,14 @@
+collectd (5.1.0-3+deb7u2) wheezy-security; urgency=high
+
+  * debian/patches/bts833013-gcry-init.dpatch: Fix initialization of
+    libgcrypt: Initialize the library before using any other functions to
+    ensure that thread-safety is set up appropriately. This fixes potential
+    crashes of the network plugin and a regression introduced in
+    5.1.0-3+deb7u1 which ultimately surfaced the issue. Thanks to Antoine
+    Sirinelli for reporting this. (Closes: #833013)
+
+ -- Sebastian Harl <tokkee@debian.org>  Wed, 03 Aug 2016 22:59:23 +0200
+
 collectd (5.1.0-3+deb7u1) wheezy-security; urgency=high
 
   * debian/patches/CVE-2016-6254.dpatch: Fix heap overflow in the network
diff -u collectd-5.1.0/debian/patches/00list collectd-5.1.0/debian/patches/00list
--- collectd-5.1.0/debian/patches/00list
+++ collectd-5.1.0/debian/patches/00list
@@ -1,5 +1,6 @@
 CVE-2016-6254.dpatch
 bts832577-gcry-control.dpatch
+bts833013-gcry-init.dpatch
 rrd_filter_path.dpatch
 collection_conf_path.dpatch
 bts559801_plugin_find_fix.dpatch
only in patch2:
unchanged:
--- collectd-5.1.0.orig/debian/patches/bts833013-gcry-init.dpatch
+++ collectd-5.1.0/debian/patches/bts833013-gcry-init.dpatch
@@ -0,0 +1,113 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## bts833013-gcry-init.dpatch by Florian Forster <octo@collectd.org>
+## Backported to 5.1.0 by Sebastian Harl <tokkee@debian.org>
+## Rebased on top of bts832577-gcry-control.dpatch
+##
+## DP: Make sure gcrypt is initialized before using any of its functions.
+## DP:
+## DP: @marekbecka found that gcrypt functionality is called during the
+## DP: configuration phase, but the library is only initialized later during
+## DP: the initialization phase.
+## DP:
+## DP: Upstream commits:
+## DP: https://github.com/collectd/collectd/commit/0ec776a
+## DP: https://github.com/collectd/collectd/commit/a3000cbe
+## DP: Upstream report:
+## DP: https://github.com/collectd/collectd/issues/273
+
+@DPATCH@
+
+diff a/src/network.c b/src/network.c
+--- a/src/network.c
++++ b/src/network.c
+@@ -476,6 +476,29 @@
+ } /* }}} int network_dispatch_notification */
+ 
+ #if HAVE_LIBGCRYPT
++static int network_init_gcrypt (void) /* {{{ */
++{
++	gcry_error_t err;
++
++	if (gcry_control (GCRYCTL_ANY_INITIALIZATION_P))
++		return (0);
++
++	err = gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
++	if (err)
++	{
++		ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err));
++		return (-1);
++	}
++	err = gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0);
++	if (err)
++	{
++		ERROR ("network plugin: gcry_control (GCRYCTL_INIT_SECMEM) failed: %s", gcry_strerror (err));
++		return (-1);
++	}
++	gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
++	return (0);
++} /* }}} void network_init_gcrypt */
++
+ static gcry_cipher_hd_t network_get_aes256_cypher (sockent_t *se, /* {{{ */
+     const void *iv, size_t iv_size, const char *username)
+ {
+@@ -2011,6 +2034,13 @@
+ 	{
+ 		if (se->data.client.security_level > SECURITY_LEVEL_NONE)
+ 		{
++			if (network_init_gcrypt () < 0)
++			{
++				ERROR ("network plugin: Cannot configure client socket with "
++						"security: Failed to initialize crypto library.");
++				return (-1);
++			}
++
+ 			if ((se->data.client.username == NULL)
+ 					|| (se->data.client.password == NULL))
+ 			{
+@@ -2029,6 +2059,13 @@
+ 	{
+ 		if (se->data.server.security_level > SECURITY_LEVEL_NONE)
+ 		{
++			if (network_init_gcrypt () < 0)
++			{
++				ERROR ("network plugin: Cannot configure server socket with "
++						"security: Failed to initialize crypto library.");
++				return (-1);
++			}
++
+ 			if (se->data.server.auth_file == NULL)
+ 			{
+ 				ERROR ("network plugin: Server socket with "
+@@ -3345,7 +3382,6 @@
+ static int network_init (void)
+ {
+ 	static _Bool have_init = 0;
+-	gcry_error_t err;
+ 
+ 	/* Check if we were already initialized. If so, just return - there's
+ 	 * nothing more to do (for now, that is). */
+@@ -3354,19 +3390,11 @@
+ 	have_init = 1;
+ 
+ #if HAVE_LIBGCRYPT
+-	err = gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
+-	if (err)
+-	{
+-		ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err));
+-		return (-1);
+-	}
+-	err = gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0);
+-	if (err)
+-	{
+-		ERROR ("network plugin: gcry_control (GCRYCTL_INIT_SECMEM) failed: %s", gcry_strerror (err));
+-		return (-1);
+-	}
+-	gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
++	if (network_init_gcrypt () < 0)
++	{
++		ERROR ("network plugin: Failed to initialize crypto library.");
++		return (-1);
++	}
+ #endif
+ 
+ 	if (network_config_stats != 0)

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Re: Wheezy update of collectd?
  - From: Sebastian Harl <tokkee@debian.org>

Prev by Date: Wheezy update of libreoffice #2 (CVE-2016-1513)
Next by Date: Re: Wheezy update of libreoffice #2 (CVE-2016-1513)
Previous by thread: Re: Wheezy update of collectd?
Next by thread: Security update of mongodb
Index(es):
- Date
- Thread