Re: Wheezy update of collectd?

2016-08-03 Thread Sebastian Harl 
Hi again,

On Fri, Jul 29, 2016 at 09:43:39AM -0300, Lucas Kanashiro wrote:
> On 07/28/2016 05:55 PM, Lucas Kanashiro wrote:
> > On 07/28/2016 05:02 PM, Sebastian Harl wrote:
> >> Thanks. I updated dla-needed.
> >>
> >> The fixed packages are ready for upload now. Please find the full
> >> debdiff (source and binary) attached to this email. Note that the
> >> (seemingly) added dependency on libxtables7 is a no-op. It's a virtual
> >> package provided by iptables (which is a dependency already).
> >> Apparently, there was some change after the original wheezy upload
> >> that's causing this to now show up.
> >>
> >> Similar, the new dependency on zlib1g shouldn't make a difference
> >> either. The package has priority=required. Not sure why it's now showing
> >> up in the dependencies but didn't previously.
> >>
> >> I'll wait for your "Go" to actually upload the package.
> > Sure, until tomorrow I'll try to test it and give you a feedback.
> >
> 
> LGTM, I rebuilt the package and tested the upgrade in a clean wheezy
> chroot and worked well. I used the package a little bit and seems good.
> I did not try to exploit the vulnerabilities.

It turns out this introduced a regression in Wheezy (#833013) which, in
turn, uncovered a somewhat serious underlying issue. I'll go ahead to
prepare a +deb7u2 upload to fix that issue (which will then also fix the
regression).

Do you want to review the debdiff before the upload?

Based on the LTS documentation, I'll then send out a -2 DLA.

Cheers,
Sebastian

-- 
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x2F1FFCC7 +++ http://tokkee.org/

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin



signature.asc
Description: Digital signature

Re: Wheezy update of collectd?

2016-07-29 Thread Sebastian Harl 
On Fri, Jul 29, 2016 at 09:43:39AM -0300, Lucas Kanashiro wrote:
> On 07/28/2016 05:55 PM, Lucas Kanashiro wrote:
> > On 07/28/2016 05:02 PM, Sebastian Harl wrote:
> >> Thanks. I updated dla-needed.
> >>
> >> The fixed packages are ready for upload now. Please find the full
> >> debdiff (source and binary) attached to this email. Note that the
> >> (seemingly) added dependency on libxtables7 is a no-op. It's a virtual
> >> package provided by iptables (which is a dependency already).
> >> Apparently, there was some change after the original wheezy upload
> >> that's causing this to now show up.
> >>
> >> Similar, the new dependency on zlib1g shouldn't make a difference
> >> either. The package has priority=required. Not sure why it's now showing
> >> up in the dependencies but didn't previously.
> >>
> >> I'll wait for your "Go" to actually upload the package.
> > Sure, until tomorrow I'll try to test it and give you a feedback.
> >
> 
> LGTM, I rebuilt the package and tested the upgrade in a clean wheezy
> chroot and worked well. I used the package a little bit and seems good.
> I did not try to exploit the vulnerabilities.

Cheers! Uploaded to security-master.

Sebastian

-- 
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x2F1FFCC7 +++ http://tokkee.org/

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin



signature.asc
Description: Digital signature

Re: Wheezy update of collectd?

2016-07-29 Thread Lucas Kanashiro 


On 07/28/2016 05:55 PM, Lucas Kanashiro wrote:
> On 07/28/2016 05:02 PM, Sebastian Harl wrote:
>> Thanks. I updated dla-needed.
>>
>> The fixed packages are ready for upload now. Please find the full
>> debdiff (source and binary) attached to this email. Note that the
>> (seemingly) added dependency on libxtables7 is a no-op. It's a virtual
>> package provided by iptables (which is a dependency already).
>> Apparently, there was some change after the original wheezy upload
>> that's causing this to now show up.
>>
>> Similar, the new dependency on zlib1g shouldn't make a difference
>> either. The package has priority=required. Not sure why it's now showing
>> up in the dependencies but didn't previously.
>>
>> I'll wait for your "Go" to actually upload the package.
> Sure, until tomorrow I'll try to test it and give you a feedback.
>

LGTM, I rebuilt the package and tested the upgrade in a clean wheezy
chroot and worked well. I used the package a little bit and seems good.
I did not try to exploit the vulnerabilities.

Cheers.

-- 
Lucas Kanashiro
8ED6 C3F8 BAC9 DB7F C130  A870 F823 A272 9883 C97C




signature.asc
Description: OpenPGP digital signature

Re: Wheezy update of collectd?

2016-07-28 Thread Lucas Kanashiro 


On 07/28/2016 05:02 PM, Sebastian Harl wrote:
> Thanks. I updated dla-needed.
>
> The fixed packages are ready for upload now. Please find the full
> debdiff (source and binary) attached to this email. Note that the
> (seemingly) added dependency on libxtables7 is a no-op. It's a virtual
> package provided by iptables (which is a dependency already).
> Apparently, there was some change after the original wheezy upload
> that's causing this to now show up.
>
> Similar, the new dependency on zlib1g shouldn't make a difference
> either. The package has priority=required. Not sure why it's now showing
> up in the dependencies but didn't previously.
>
> I'll wait for your "Go" to actually upload the package.

Sure, until tomorrow I'll try to test it and give you a feedback.

> Then, I'd go ahead to claim an DLA as documented. Should I wait for and
> synchronize with the DSA or should I come up with my own text?
>

I think you can go ahead with your own text if you are able to explain
the fixed vulnerabilities, helping users to understand them. If I am
wrong, please, correct me :)


Cheers,

-- 
Lucas Kanashiro
8ED6 C3F8 BAC9 DB7F C130  A870 F823 A272 9883 C97C




signature.asc
Description: OpenPGP digital signature

Re: Wheezy update of collectd?

2016-07-28 Thread Sebastian Harl 
Hi,

On Thu, Jul 28, 2016 at 11:08:46AM -0300, Lucas Kanashiro wrote:
> On 07/27/2016 11:16 AM, Sebastian Harl wrote:
> > On Wed, Jul 27, 2016 at 04:14:25PM +0200, Sebastian Harl wrote:
> >> On Wed, Jul 27, 2016 at 10:40:13AM -0300, Lucas Kanashiro wrote:
> >>> But we want your opinion. Would you like to take care of this yourself?
> >> I'm happy to take care of this myself. I'm already working on updates
> >> for stable and unstable and was just about to reach out to you anyway.
> > I see that you already claimed the package in dla-needed. I'm happy to
> > take that over or do whatever makes most sense ;-) Let me know what
> > you'd prefer.
> 
> I claimed in dla-needed before your feedback, you can handle it. You
> just need to follow the LTS workflow [0].

Thanks. I updated dla-needed.

The fixed packages are ready for upload now. Please find the full
debdiff (source and binary) attached to this email. Note that the
(seemingly) added dependency on libxtables7 is a no-op. It's a virtual
package provided by iptables (which is a dependency already).
Apparently, there was some change after the original wheezy upload
that's causing this to now show up.

Similar, the new dependency on zlib1g shouldn't make a difference
either. The package has priority=required. Not sure why it's now showing
up in the dependencies but didn't previously.

I'll wait for your "Go" to actually upload the package.

Then, I'd go ahead to claim an DLA as documented. Should I wait for and
synchronize with the DSA or should I come up with my own text?

Thanks,
Sebastian

-- 
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x2F1FFCC7 +++ http://tokkee.org/

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin

diff -u collectd-5.1.0/debian/changelog collectd-5.1.0/debian/changelog
--- collectd-5.1.0/debian/changelog
+++ collectd-5.1.0/debian/changelog
@@ -1,3 +1,19 @@
+collectd (5.1.0-3+deb7u1) wheezy-security; urgency=high
+
+  * debian/patches/CVE-2016-6254.dpatch: Fix heap overflow in the network
+plugin. Emilien Gaspar has identified a heap overflow in parse_packet(),
+the function used by the network plugin to parse incoming network packets.
+Thanks to Florian Forster for reporting the bug in Debian.
+(Closes: #832507, CVE-2016-6254)
+  * debian/patches/bts832577-gcry-control.dpatch: Fix improper usage of
+gcry_control. A team of security researchers at Columbia University and
+the University of Virginia discovered that GCrypt's gcry_control is
+sometimes called without checking its return value for an error. This may
+cause the program to be initialized without the desired, secure settings.
+(Closes: #832577)
+
+ -- Sebastian Harl   Thu, 28 Jul 2016 20:52:12 +0200
+
 collectd (5.1.0-3) unstable; urgency=low
 
   * debian/patches/migrate-4-5-df.dpatch, debian/collectd-core.postinst:
diff -u collectd-5.1.0/debian/patches/00list 
collectd-5.1.0/debian/patches/00list
--- collectd-5.1.0/debian/patches/00list
+++ collectd-5.1.0/debian/patches/00list
@@ -1,3 +1,5 @@
+CVE-2016-6254.dpatch
+bts832577-gcry-control.dpatch
 rrd_filter_path.dpatch
 collection_conf_path.dpatch
 bts559801_plugin_find_fix.dpatch
only in patch2:
unchanged:
--- collectd-5.1.0.orig/debian/patches/bts832577-gcry-control.dpatch
+++ collectd-5.1.0/debian/patches/bts832577-gcry-control.dpatch
@@ -0,0 +1,45 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## bts832577-gcry-control.dpatch by Florian Forster 
+## Backported to 5.1.0 by Sebastian Harl 
+##
+## DP: network plugin, libcollectdclient: Check return value of gcry_control().
+##
+## Upstream commit:
+## https://github.com/collectd/collectd/commit/8b4fed99
+## Upstream report:
+## https://github.com/collectd/collectd/issues/1665
+
+@DPATCH@
+
+diff a/src/network.c b/src/network.c
+--- a/src/network.c
 b/src/network.c
+@@ -3342,6 +3342,7 @@
+ static int network_init (void)
+ {
+   static _Bool have_init = 0;
++  gcry_error_t err;
+ 
+   /* Check if we were already initialized. If so, just return - there's
+* nothing more to do (for now, that is). */
+@@ -3350,8 +3351,18 @@
+   have_init = 1;
+ 
+ #if HAVE_LIBGCRYPT
+-  gcry_control (GCRYCTL_SET_THREAD_CBS, _threads_pthread);
+-  gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0);
++  err = gcry_control (GCRYCTL_SET_THREAD_CBS, _threads_pthread);
++  if (err)
++  {
++  ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) 
failed: %s", gcry_strerror (err));
++  return (-1);
++  }
++  err = gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0);
++  if (err)
++  {
++  ERROR ("network plugin: gcry_control (GCRYCTL_INIT_SECMEM) 
failed: %s", gcry_strerror (err));
++  return (-1);
++  }
+   gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+ #endif
+ 
only in patch2:
unchanged:
---

Re: Wheezy update of collectd?

2016-07-28 Thread Lucas Kanashiro 


On 07/27/2016 11:16 AM, Sebastian Harl wrote:
> On Wed, Jul 27, 2016 at 04:14:25PM +0200, Sebastian Harl wrote:
>> On Wed, Jul 27, 2016 at 10:40:13AM -0300, Lucas Kanashiro wrote:
>>> But we want your opinion. Would you like to take care of this yourself?
>> I'm happy to take care of this myself. I'm already working on updates
>> for stable and unstable and was just about to reach out to you anyway.
> I see that you already claimed the package in dla-needed. I'm happy to
> take that over or do whatever makes most sense ;-) Let me know what
> you'd prefer.

I claimed in dla-needed before your feedback, you can handle it. You
just need to follow the LTS workflow [0].

Cheers.

P.S.: I am adding a note in dla-needed that collectd is up to you :)

[0] https://wiki.debian.org/LTS/Development

-- 
Lucas Kanashiro
8ED6 C3F8 BAC9 DB7F C130  A870 F823 A272 9883 C97C




signature.asc
Description: OpenPGP digital signature

Re: Wheezy update of collectd?

2016-07-27 Thread Sebastian Harl 
On Wed, Jul 27, 2016 at 04:14:25PM +0200, Sebastian Harl wrote:
> On Wed, Jul 27, 2016 at 10:40:13AM -0300, Lucas Kanashiro wrote:
> > But we want your opinion. Would you like to take care of this yourself?
> 
> I'm happy to take care of this myself. I'm already working on updates
> for stable and unstable and was just about to reach out to you anyway.

I see that you already claimed the package in dla-needed. I'm happy to
take that over or do whatever makes most sense ;-) Let me know what
you'd prefer.

Cheers,
Sebastian

-- 
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x2F1FFCC7 +++ http://tokkee.org/

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin



signature.asc
Description: Digital signature