mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-08 16:00:32 +00:00
Code Issues Projects Releases Wiki Activity

collectd: CVE-2016-6254

Browse Source 
Heap-based buffer overflow in the parse_packet function in network.c in
collectd before 5.4.3 and 5.x before 5.5.2 allows remote attackers to
cause a denial of service (daemon crash) or possibly execute arbitrary
code via a crafted network packet.

Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This commit is contained in:
Alexandru Moise
2016-09-07 12:34:11 +03:00
committed by Martin Jansa
parent 2f157021ff
commit 4fad615950
2 changed files with 56 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch
+55
View File
@@ -0,0 +1,55 @@
From dd8483a4beb6f61521d8b32c726523bbea21cd92 Mon Sep 17 00:00:00 2001
From: Florian Forster <octo@collectd.org>
Date: Tue, 19 Jul 2016 10:00:37 +0200
Subject: [PATCH] network plugin: Fix heap overflow in parse_packet().
Emilien Gaspar has identified a heap overflow in parse_packet(), the
function used by the network plugin to parse incoming network packets.
This is a vulnerability in collectd, though the scope is not clear at
this point. At the very least specially crafted network packets can be
used to crash the daemon. We can't rule out a potential remote code
execution though.
Fixes: CVE-2016-6254
cherry picked from upstream commit b589096f
Upstream Status: Backport
Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
---
src/network.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/network.c b/src/network.c
index 551bd5c..cb979b2 100644
--- a/src/network.c
+++ b/src/network.c
@@ -1444,6 +1444,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
printed_ignore_warning = 1;
}
buffer = ((char *) buffer) + pkg_length;
+ buffer_size -= (size_t) pkg_length;
continue;
}
#endif /* HAVE_LIBGCRYPT */
@@ -1471,6 +1472,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
printed_ignore_warning = 1;
}
buffer = ((char *) buffer) + pkg_length;
+ buffer_size -= (size_t) pkg_length;
continue;
}
#endif /* HAVE_LIBGCRYPT */
@@ -1612,6 +1614,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
DEBUG ("network plugin: parse_packet: Unknown part"
" type: 0x%04hx", pkg_type);
buffer = ((char *) buffer) + pkg_length;
+ buffer_size -= (size_t) pkg_length;
}
} /* while (buffer_size > sizeof (part_header_t)) */
--
2.7.4
meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
+1
View File
@@ -13,6 +13,7 @@ SRC_URI = "http://collectd.org/files/collectd-${PV}.tar.bz2 \
file://collectd.service \ file://collectd.service \
file://0001-conditionally-check-libvirt.patch \ file://0001-conditionally-check-libvirt.patch \
file://0001-collectd-replace-deprecated-readdir_r-with-readdir.patch \ file://0001-collectd-replace-deprecated-readdir_r-with-readdir.patch \
file://CVE-2016-6254.patch \
" "
SRC_URI[md5sum] = "c39305ef5514b44238b0d31f77e29e6a" SRC_URI[md5sum] = "c39305ef5514b44238b0d31f77e29e6a"
SRC_URI[sha256sum] = "847684cf5c10de1dc34145078af3fcf6e0d168ba98c14f1343b1062a4b569e88" SRC_URI[sha256sum] = "847684cf5c10de1dc34145078af3fcf6e0d168ba98c14f1343b1062a4b569e88"