Re: Wheezy update of collectd?
Hi again, On Fri, Jul 29, 2016 at 09:43:39AM -0300, Lucas Kanashiro wrote: > On 07/28/2016 05:55 PM, Lucas Kanashiro wrote: > > On 07/28/2016 05:02 PM, Sebastian Harl wrote: > >> Thanks. I updated dla-needed. > >> > >> The fixed packages are ready for upload now. Please find the full > >> debdiff (source and binary) attached to this email. Note that the > >> (seemingly) added dependency on libxtables7 is a no-op. It's a virtual > >> package provided by iptables (which is a dependency already). > >> Apparently, there was some change after the original wheezy upload > >> that's causing this to now show up. > >> > >> Similar, the new dependency on zlib1g shouldn't make a difference > >> either. The package has priority=required. Not sure why it's now showing > >> up in the dependencies but didn't previously. > >> > >> I'll wait for your "Go" to actually upload the package. > > Sure, until tomorrow I'll try to test it and give you a feedback. > > > > LGTM, I rebuilt the package and tested the upgrade in a clean wheezy > chroot and worked well. I used the package a little bit and seems good. > I did not try to exploit the vulnerabilities. It turns out this introduced a regression in Wheezy (#833013) which, in turn, uncovered a somewhat serious underlying issue. I'll go ahead to prepare a +deb7u2 upload to fix that issue (which will then also fix the regression). Do you want to review the debdiff before the upload? Based on the LTS documentation, I'll then send out a -2 DLA. Cheers, Sebastian -- Sebastian "tokkee" Harl +++ GnuPG-ID: 0x2F1FFCC7 +++ http://tokkee.org/ Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin signature.asc Description: Digital signature
Re: Wheezy update of collectd?
On Fri, Jul 29, 2016 at 09:43:39AM -0300, Lucas Kanashiro wrote: > On 07/28/2016 05:55 PM, Lucas Kanashiro wrote: > > On 07/28/2016 05:02 PM, Sebastian Harl wrote: > >> Thanks. I updated dla-needed. > >> > >> The fixed packages are ready for upload now. Please find the full > >> debdiff (source and binary) attached to this email. Note that the > >> (seemingly) added dependency on libxtables7 is a no-op. It's a virtual > >> package provided by iptables (which is a dependency already). > >> Apparently, there was some change after the original wheezy upload > >> that's causing this to now show up. > >> > >> Similar, the new dependency on zlib1g shouldn't make a difference > >> either. The package has priority=required. Not sure why it's now showing > >> up in the dependencies but didn't previously. > >> > >> I'll wait for your "Go" to actually upload the package. > > Sure, until tomorrow I'll try to test it and give you a feedback. > > > > LGTM, I rebuilt the package and tested the upgrade in a clean wheezy > chroot and worked well. I used the package a little bit and seems good. > I did not try to exploit the vulnerabilities. Cheers! Uploaded to security-master. Sebastian -- Sebastian "tokkee" Harl +++ GnuPG-ID: 0x2F1FFCC7 +++ http://tokkee.org/ Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin signature.asc Description: Digital signature
Re: Wheezy update of collectd?
On 07/28/2016 05:55 PM, Lucas Kanashiro wrote: > On 07/28/2016 05:02 PM, Sebastian Harl wrote: >> Thanks. I updated dla-needed. >> >> The fixed packages are ready for upload now. Please find the full >> debdiff (source and binary) attached to this email. Note that the >> (seemingly) added dependency on libxtables7 is a no-op. It's a virtual >> package provided by iptables (which is a dependency already). >> Apparently, there was some change after the original wheezy upload >> that's causing this to now show up. >> >> Similar, the new dependency on zlib1g shouldn't make a difference >> either. The package has priority=required. Not sure why it's now showing >> up in the dependencies but didn't previously. >> >> I'll wait for your "Go" to actually upload the package. > Sure, until tomorrow I'll try to test it and give you a feedback. > LGTM, I rebuilt the package and tested the upgrade in a clean wheezy chroot and worked well. I used the package a little bit and seems good. I did not try to exploit the vulnerabilities. Cheers. -- Lucas Kanashiro 8ED6 C3F8 BAC9 DB7F C130 A870 F823 A272 9883 C97C signature.asc Description: OpenPGP digital signature
Re: Wheezy update of collectd?
On 07/28/2016 05:02 PM, Sebastian Harl wrote: > Thanks. I updated dla-needed. > > The fixed packages are ready for upload now. Please find the full > debdiff (source and binary) attached to this email. Note that the > (seemingly) added dependency on libxtables7 is a no-op. It's a virtual > package provided by iptables (which is a dependency already). > Apparently, there was some change after the original wheezy upload > that's causing this to now show up. > > Similar, the new dependency on zlib1g shouldn't make a difference > either. The package has priority=required. Not sure why it's now showing > up in the dependencies but didn't previously. > > I'll wait for your "Go" to actually upload the package. Sure, until tomorrow I'll try to test it and give you a feedback. > Then, I'd go ahead to claim an DLA as documented. Should I wait for and > synchronize with the DSA or should I come up with my own text? > I think you can go ahead with your own text if you are able to explain the fixed vulnerabilities, helping users to understand them. If I am wrong, please, correct me :) Cheers, -- Lucas Kanashiro 8ED6 C3F8 BAC9 DB7F C130 A870 F823 A272 9883 C97C signature.asc Description: OpenPGP digital signature
Re: Wheezy update of collectd?
Hi, On Thu, Jul 28, 2016 at 11:08:46AM -0300, Lucas Kanashiro wrote: > On 07/27/2016 11:16 AM, Sebastian Harl wrote: > > On Wed, Jul 27, 2016 at 04:14:25PM +0200, Sebastian Harl wrote: > >> On Wed, Jul 27, 2016 at 10:40:13AM -0300, Lucas Kanashiro wrote: > >>> But we want your opinion. Would you like to take care of this yourself? > >> I'm happy to take care of this myself. I'm already working on updates > >> for stable and unstable and was just about to reach out to you anyway. > > I see that you already claimed the package in dla-needed. I'm happy to > > take that over or do whatever makes most sense ;-) Let me know what > > you'd prefer. > > I claimed in dla-needed before your feedback, you can handle it. You > just need to follow the LTS workflow [0]. Thanks. I updated dla-needed. The fixed packages are ready for upload now. Please find the full debdiff (source and binary) attached to this email. Note that the (seemingly) added dependency on libxtables7 is a no-op. It's a virtual package provided by iptables (which is a dependency already). Apparently, there was some change after the original wheezy upload that's causing this to now show up. Similar, the new dependency on zlib1g shouldn't make a difference either. The package has priority=required. Not sure why it's now showing up in the dependencies but didn't previously. I'll wait for your "Go" to actually upload the package. Then, I'd go ahead to claim an DLA as documented. Should I wait for and synchronize with the DSA or should I come up with my own text? Thanks, Sebastian -- Sebastian "tokkee" Harl +++ GnuPG-ID: 0x2F1FFCC7 +++ http://tokkee.org/ Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin diff -u collectd-5.1.0/debian/changelog collectd-5.1.0/debian/changelog --- collectd-5.1.0/debian/changelog +++ collectd-5.1.0/debian/changelog @@ -1,3 +1,19 @@ +collectd (5.1.0-3+deb7u1) wheezy-security; urgency=high + + * debian/patches/CVE-2016-6254.dpatch: Fix heap overflow in the network +plugin. Emilien Gaspar has identified a heap overflow in parse_packet(), +the function used by the network plugin to parse incoming network packets. +Thanks to Florian Forster for reporting the bug in Debian. +(Closes: #832507, CVE-2016-6254) + * debian/patches/bts832577-gcry-control.dpatch: Fix improper usage of +gcry_control. A team of security researchers at Columbia University and +the University of Virginia discovered that GCrypt's gcry_control is +sometimes called without checking its return value for an error. This may +cause the program to be initialized without the desired, secure settings. +(Closes: #832577) + + -- Sebastian HarlThu, 28 Jul 2016 20:52:12 +0200 + collectd (5.1.0-3) unstable; urgency=low * debian/patches/migrate-4-5-df.dpatch, debian/collectd-core.postinst: diff -u collectd-5.1.0/debian/patches/00list collectd-5.1.0/debian/patches/00list --- collectd-5.1.0/debian/patches/00list +++ collectd-5.1.0/debian/patches/00list @@ -1,3 +1,5 @@ +CVE-2016-6254.dpatch +bts832577-gcry-control.dpatch rrd_filter_path.dpatch collection_conf_path.dpatch bts559801_plugin_find_fix.dpatch only in patch2: unchanged: --- collectd-5.1.0.orig/debian/patches/bts832577-gcry-control.dpatch +++ collectd-5.1.0/debian/patches/bts832577-gcry-control.dpatch @@ -0,0 +1,45 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## bts832577-gcry-control.dpatch by Florian Forster +## Backported to 5.1.0 by Sebastian Harl +## +## DP: network plugin, libcollectdclient: Check return value of gcry_control(). +## +## Upstream commit: +## https://github.com/collectd/collectd/commit/8b4fed99 +## Upstream report: +## https://github.com/collectd/collectd/issues/1665 + +@DPATCH@ + +diff a/src/network.c b/src/network.c +--- a/src/network.c b/src/network.c +@@ -3342,6 +3342,7 @@ + static int network_init (void) + { + static _Bool have_init = 0; ++ gcry_error_t err; + + /* Check if we were already initialized. If so, just return - there's +* nothing more to do (for now, that is). */ +@@ -3350,8 +3351,18 @@ + have_init = 1; + + #if HAVE_LIBGCRYPT +- gcry_control (GCRYCTL_SET_THREAD_CBS, _threads_pthread); +- gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0); ++ err = gcry_control (GCRYCTL_SET_THREAD_CBS, _threads_pthread); ++ if (err) ++ { ++ ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err)); ++ return (-1); ++ } ++ err = gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0); ++ if (err) ++ { ++ ERROR ("network plugin: gcry_control (GCRYCTL_INIT_SECMEM) failed: %s", gcry_strerror (err)); ++ return (-1); ++ } + gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + #endif + only in patch2: unchanged: ---
Re: Wheezy update of collectd?
On 07/27/2016 11:16 AM, Sebastian Harl wrote: > On Wed, Jul 27, 2016 at 04:14:25PM +0200, Sebastian Harl wrote: >> On Wed, Jul 27, 2016 at 10:40:13AM -0300, Lucas Kanashiro wrote: >>> But we want your opinion. Would you like to take care of this yourself? >> I'm happy to take care of this myself. I'm already working on updates >> for stable and unstable and was just about to reach out to you anyway. > I see that you already claimed the package in dla-needed. I'm happy to > take that over or do whatever makes most sense ;-) Let me know what > you'd prefer. I claimed in dla-needed before your feedback, you can handle it. You just need to follow the LTS workflow [0]. Cheers. P.S.: I am adding a note in dla-needed that collectd is up to you :) [0] https://wiki.debian.org/LTS/Development -- Lucas Kanashiro 8ED6 C3F8 BAC9 DB7F C130 A870 F823 A272 9883 C97C signature.asc Description: OpenPGP digital signature
Re: Wheezy update of collectd?
On Wed, Jul 27, 2016 at 04:14:25PM +0200, Sebastian Harl wrote: > On Wed, Jul 27, 2016 at 10:40:13AM -0300, Lucas Kanashiro wrote: > > But we want your opinion. Would you like to take care of this yourself? > > I'm happy to take care of this myself. I'm already working on updates > for stable and unstable and was just about to reach out to you anyway. I see that you already claimed the package in dla-needed. I'm happy to take that over or do whatever makes most sense ;-) Let me know what you'd prefer. Cheers, Sebastian -- Sebastian "tokkee" Harl +++ GnuPG-ID: 0x2F1FFCC7 +++ http://tokkee.org/ Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin signature.asc Description: Digital signature