collectd: CVE-2016-6254

Heap-based buffer overflow in the parse_packet function in network.c in
collectd before 5.4.3 and 5.x before 5.5.2 allows remote attackers to
cause a denial of service (daemon crash) or possibly execute arbitrary
code via a crafted network packet.

Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>

2 files changed, 56 insertions, 0 deletions

diff --git a/meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch b/meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch
new file mode 100644
index 000000000..bc85b4c0e
--- /dev/null
+++ b/meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch
@@ -0,0 +1,55 @@
+From dd8483a4beb6f61521d8b32c726523bbea21cd92 Mon Sep 17 00:00:00 2001
+From: Florian Forster <octo@collectd.org>
+Date: Tue, 19 Jul 2016 10:00:37 +0200
+Subject: [PATCH] network plugin: Fix heap overflow in parse_packet().
+
+Emilien Gaspar has identified a heap overflow in parse_packet(), the
+function used by the network plugin to parse incoming network packets.
+
+This is a vulnerability in collectd, though the scope is not clear at
+this point. At the very least specially crafted network packets can be
+used to crash the daemon. We can't rule out a potential remote code
+execution though.
+
+Fixes: CVE-2016-6254
+
+cherry picked from upstream commit b589096f
+
+Upstream Status: Backport
+
+Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
+---
+ src/network.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/network.c b/src/network.c
+index 551bd5c..cb979b2 100644
+--- a/src/network.c
++++ b/src/network.c
+@@ -1444,6 +1444,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
+                                printed_ignore_warning = 1;
+                        }
+                        buffer = ((char *) buffer) + pkg_length;
++                       buffer_size -= (size_t) pkg_length;
+                        continue;
+                }
+ #endif /* HAVE_LIBGCRYPT */
+@@ -1471,6 +1472,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
+                                printed_ignore_warning = 1;
+                        }
+                        buffer = ((char *) buffer) + pkg_length;
++                       buffer_size -= (size_t) pkg_length;
+                        continue;
+                }
+ #endif /* HAVE_LIBGCRYPT */
+@@ -1612,6 +1614,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
+                        DEBUG ("network plugin: parse_packet: Unknown part"
+                                        " type: 0x%04hx", pkg_type);
+                        buffer = ((char *) buffer) + pkg_length;
++                       buffer_size -= (size_t) pkg_length;
+                }
+        } /* while (buffer_size > sizeof (part_header_t)) */
+ 
+-- 
+2.7.4
+
diff --git a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
index d7ba5b79c..34edecfba 100644
--- a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
+++ b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://collectd.org/files/collectd-${PV}.tar.bz2 \
            file://collectd.service \
            file://0001-conditionally-check-libvirt.patch \
            file://0001-collectd-replace-deprecated-readdir_r-with-readdir.patch \
+           file://CVE-2016-6254.patch \
 "
 SRC_URI[md5sum] = "c39305ef5514b44238b0d31f77e29e6a"
 SRC_URI[sha256sum] = "847684cf5c10de1dc34145078af3fcf6e0d168ba98c14f1343b1062a4b569e88"