On Wed, Aug 03, 2016 at 03:14:02PM +0200, Sebastian Harl wrote: > On Fri, Jul 29, 2016 at 09:43:39AM -0300, Lucas Kanashiro wrote: > > On 07/28/2016 05:55 PM, Lucas Kanashiro wrote: > > > On 07/28/2016 05:02 PM, Sebastian Harl wrote: > > >> Thanks. I updated dla-needed. > > >> > > >> The fixed packages are ready for upload now. Please find the full > > >> debdiff (source and binary) attached to this email. Note that the > > >> (seemingly) added dependency on libxtables7 is a no-op. It's a virtual > > >> package provided by iptables (which is a dependency already). > > >> Apparently, there was some change after the original wheezy upload > > >> that's causing this to now show up. > > >> > > >> Similar, the new dependency on zlib1g shouldn't make a difference > > >> either. The package has priority=required. Not sure why it's now showing > > >> up in the dependencies but didn't previously. > > >> > > >> I'll wait for your "Go" to actually upload the package. > > > Sure, until tomorrow I'll try to test it and give you a feedback. > > > > > > > LGTM, I rebuilt the package and tested the upgrade in a clean wheezy > > chroot and worked well. I used the package a little bit and seems good. > > I did not try to exploit the vulnerabilities. > > It turns out this introduced a regression in Wheezy (#833013) which, in > turn, uncovered a somewhat serious underlying issue. I'll go ahead to > prepare a +deb7u2 upload to fix that issue (which will then also fix the > regression).
I uploaded the fix as 5.1.0-3+deb7u2. Debdiff attached for reference. Cheers, Sebastian -- Sebastian "tokkee" Harl +++ GnuPG-ID: 0x2F1FFCC7 +++ http://tokkee.org/ Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin
diff -u collectd-5.1.0/debian/changelog collectd-5.1.0/debian/changelog --- collectd-5.1.0/debian/changelog +++ collectd-5.1.0/debian/changelog @@ -1,3 +1,14 @@ +collectd (5.1.0-3+deb7u2) wheezy-security; urgency=high + + * debian/patches/bts833013-gcry-init.dpatch: Fix initialization of + libgcrypt: Initialize the library before using any other functions to + ensure that thread-safety is set up appropriately. This fixes potential + crashes of the network plugin and a regression introduced in + 5.1.0-3+deb7u1 which ultimately surfaced the issue. Thanks to Antoine + Sirinelli for reporting this. (Closes: #833013) + + -- Sebastian Harl <tok...@debian.org> Wed, 03 Aug 2016 22:59:23 +0200 + collectd (5.1.0-3+deb7u1) wheezy-security; urgency=high * debian/patches/CVE-2016-6254.dpatch: Fix heap overflow in the network diff -u collectd-5.1.0/debian/patches/00list collectd-5.1.0/debian/patches/00list --- collectd-5.1.0/debian/patches/00list +++ collectd-5.1.0/debian/patches/00list @@ -1,5 +1,6 @@ CVE-2016-6254.dpatch bts832577-gcry-control.dpatch +bts833013-gcry-init.dpatch rrd_filter_path.dpatch collection_conf_path.dpatch bts559801_plugin_find_fix.dpatch only in patch2: unchanged: --- collectd-5.1.0.orig/debian/patches/bts833013-gcry-init.dpatch +++ collectd-5.1.0/debian/patches/bts833013-gcry-init.dpatch @@ -0,0 +1,113 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## bts833013-gcry-init.dpatch by Florian Forster <o...@collectd.org> +## Backported to 5.1.0 by Sebastian Harl <tok...@debian.org> +## Rebased on top of bts832577-gcry-control.dpatch +## +## DP: Make sure gcrypt is initialized before using any of its functions. +## DP: +## DP: @marekbecka found that gcrypt functionality is called during the +## DP: configuration phase, but the library is only initialized later during +## DP: the initialization phase. +## DP: +## DP: Upstream commits: +## DP: https://github.com/collectd/collectd/commit/0ec776a +## DP: https://github.com/collectd/collectd/commit/a3000cbe +## DP: Upstream report: +## DP: https://github.com/collectd/collectd/issues/273 + +@DPATCH@ + +diff a/src/network.c b/src/network.c +--- a/src/network.c ++++ b/src/network.c +@@ -476,6 +476,29 @@ + } /* }}} int network_dispatch_notification */ + + #if HAVE_LIBGCRYPT ++static int network_init_gcrypt (void) /* {{{ */ ++{ ++ gcry_error_t err; ++ ++ if (gcry_control (GCRYCTL_ANY_INITIALIZATION_P)) ++ return (0); ++ ++ err = gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); ++ if (err) ++ { ++ ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err)); ++ return (-1); ++ } ++ err = gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0); ++ if (err) ++ { ++ ERROR ("network plugin: gcry_control (GCRYCTL_INIT_SECMEM) failed: %s", gcry_strerror (err)); ++ return (-1); ++ } ++ gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); ++ return (0); ++} /* }}} void network_init_gcrypt */ ++ + static gcry_cipher_hd_t network_get_aes256_cypher (sockent_t *se, /* {{{ */ + const void *iv, size_t iv_size, const char *username) + { +@@ -2011,6 +2034,13 @@ + { + if (se->data.client.security_level > SECURITY_LEVEL_NONE) + { ++ if (network_init_gcrypt () < 0) ++ { ++ ERROR ("network plugin: Cannot configure client socket with " ++ "security: Failed to initialize crypto library."); ++ return (-1); ++ } ++ + if ((se->data.client.username == NULL) + || (se->data.client.password == NULL)) + { +@@ -2029,6 +2059,13 @@ + { + if (se->data.server.security_level > SECURITY_LEVEL_NONE) + { ++ if (network_init_gcrypt () < 0) ++ { ++ ERROR ("network plugin: Cannot configure server socket with " ++ "security: Failed to initialize crypto library."); ++ return (-1); ++ } ++ + if (se->data.server.auth_file == NULL) + { + ERROR ("network plugin: Server socket with " +@@ -3345,7 +3382,6 @@ + static int network_init (void) + { + static _Bool have_init = 0; +- gcry_error_t err; + + /* Check if we were already initialized. If so, just return - there's + * nothing more to do (for now, that is). */ +@@ -3354,19 +3390,11 @@ + have_init = 1; + + #if HAVE_LIBGCRYPT +- err = gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); +- if (err) +- { +- ERROR ("network plugin: gcry_control (GCRYCTL_SET_THREAD_CBS) failed: %s", gcry_strerror (err)); +- return (-1); +- } +- err = gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0); +- if (err) +- { +- ERROR ("network plugin: gcry_control (GCRYCTL_INIT_SECMEM) failed: %s", gcry_strerror (err)); +- return (-1); +- } +- gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); ++ if (network_init_gcrypt () < 0) ++ { ++ ERROR ("network plugin: Failed to initialize crypto library."); ++ return (-1); ++ } + #endif + + if (network_config_stats != 0)
signature.asc
Description: Digital signature
