Incorrect interaction of the parse_packet() and parse_part_sign_sha256() functions in network.c in collectd 5.7.1 and earlier allows remote attackers to cause a denial of service (infinite loop) of a collectd instance (configured with "SecurityLevel None" and with empty "AuthFile" options) via a crafted UDP packet.
Backport upstream patch from https://github.com/collectd/collectd/ commit f6be4f9b49b949b379326c3d7002476e6ce4f211 Signed-off-by: Zhixiong Chi <[email protected]> --- .../collectd/collectd/collectd-CVE-2017-7401.patch | 54 ++++++++++++++++++++++ .../recipes-extended/collectd/collectd_5.5.0.bb | 1 + 2 files changed, 55 insertions(+) create mode 100644 meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch diff --git a/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch b/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch new file mode 100644 index 0000000..9dc975e --- /dev/null +++ b/meta-oe/recipes-extended/collectd/collectd/collectd-CVE-2017-7401.patch @@ -0,0 +1,54 @@ + +network plugin: Fix endless loop DOS in parse_packet() + +When correct 'Signature part' is received by Collectd, configured without +AuthFile option, condition for endless loop occurs due to missing increase +of pointer to next unprocessed part. + +This is a forward-port of #2233. + +Fixes: CVE-2017-7401 +Closes: #2174 + +CVE: CVE-2017-7401 + +Upstream-States: Backport + +Signed-off-by: Florian Forster <[email protected]> + +diff --git a/src/network.c b/src/network.c +--- a/src/network.c ++++ b/src/network.c +@@ -1050,14 +1050,6 @@ static int parse_part_sign_sha256(sockent_t *se, /* {{{ */ + buffer_len = *ret_buffer_len; + buffer_offset = 0; + +- if (se->data.server.userdb == NULL) +- { +- c_complain (LOG_NOTICE, &complain_no_users, +- "network plugin: Received signed network packet but can't verify it " +- "because no user DB has been configured. Will accept it."); +- return (0); +- } +- + /* Check if the buffer has enough data for this structure. */ + if (buffer_len <= PART_SIGNATURE_SHA256_SIZE) + return (-ENOMEM); +@@ -1027,6 +1019,17 @@ static int parse_part_sign_sha256(sockent_t *se, /* {{{ */ + return (-1); + } + ++ if (se->data.server.userdb == NULL) { ++ c_complain(LOG_NOTICE, &complain_no_users, ++ "network plugin: Received signed network packet but can't verify it " ++ "because no user DB has been configured. Will accept it."); ++ ++ *ret_buffer = buffer + pss_head_length; ++ *ret_buffer_len -= pss_head_length; ++ ++ return (0); ++ } ++ + /* Copy the hash. */ + BUFFER_READ(pss.hash, sizeof(pss.hash)); + diff --git a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb index 59732db..e325835 100644 --- a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb +++ b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb @@ -15,6 +15,7 @@ SRC_URI = "http://collectd.org/files/collectd-${PV}.tar.bz2 \ file://0001-collectd-replace-deprecated-readdir_r-with-readdir.patch \ file://CVE-2016-6254.patch \ file://0001-fix-to-build-with-glibc-2.25.patch \ + file://collectd-CVE-2017-7401.patch \ " SRC_URI[md5sum] = "c39305ef5514b44238b0d31f77e29e6a" SRC_URI[sha256sum] = "847684cf5c10de1dc34145078af3fcf6e0d168ba98c14f1343b1062a4b569e88" -- 1.9.1 -- _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-devel
