Debian Bug report logs -
#832507
Heap overflow in the network plugin (CVE-2016-6254)
Reported by: Florian Forster <octo@collectd.org>
Date: Tue, 26 Jul 2016 08:51:02 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version collectd/5.1.0-3
Fixed in versions collectd/5.5.2-1, collectd/5.4.1-6+deb8u1
Done: Sebastian Harl <tokkee@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Sebastian Harl <tokkee@debian.org>:
Bug#832507; Package collectd.
(Tue, 26 Jul 2016 08:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Florian Forster <octo@collectd.org>:
New Bug report received and forwarded. Copy sent to Sebastian Harl <tokkee@debian.org>.
(Tue, 26 Jul 2016 08:51:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: collectd
Version: 5.1.0-3
Severity: important
Tags: patch, security, upstream, fixed-upstream
Emilien Gaspar has identified a heap overflow in collectd's network
plugin which can be triggered remotely and is potentially exploitable.
The identifier CVE-2016-6254 has been assigned to this issue.
This issue has been fixed in the released 5.5.2 and 5.4.3.
Please update the version provided by Debian to a non-vulnerable
version.
For the oldstable and stable branches, please add the following patches
to fix the issue:
https://github.com/collectd/collectd/commit/b589096f907052b3a4da2b9ccc9b0e2e888dfc18
https://github.com/collectd/collectd/commit/8b4fed9940e02138b7e273e56863df03d1a39ef7
The second patch is unrelated to CVE-2016-6254. It fixes an
initialization issue with libgcrypt which could theoretically lead to a
half-initialized library being used.
Best regards,
—octo
--
collectd – The system statistics collection daemon
Website: http://collectd.org
Google+: http://collectd.org/+
GitHub: https://github.com/collectd
Twitter: http://twitter.com/collectd
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#832507; Package collectd.
(Wed, 27 Jul 2016 08:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastian Harl <tokkee@debian.org>:
Extra info received and forwarded to list.
(Wed, 27 Jul 2016 08:03:03 GMT) (full text, mbox, link).
Message #10 received at 832507@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Tue, Jul 26, 2016 at 10:48:58AM +0200, Florian Forster wrote:
> Emilien Gaspar has identified a heap overflow in collectd's network
> plugin which can be triggered remotely and is potentially exploitable.
> The identifier CVE-2016-6254 has been assigned to this issue.
>
> This issue has been fixed in the released 5.5.2 and 5.4.3.
> Please update the version provided by Debian to a non-vulnerable
> version.
>
> For the oldstable and stable branches, please add the following patches
> to fix the issue:
>
> https://github.com/collectd/collectd/commit/b589096f907052b3a4da2b9ccc9b0e2e888dfc18
Thank you for reporting this.
> https://github.com/collectd/collectd/commit/8b4fed9940e02138b7e273e56863df03d1a39ef7
>
> The second patch is unrelated to CVE-2016-6254. It fixes an
> initialization issue with libgcrypt which could theoretically lead to a
> half-initialized library being used.
I've reported a separate bug for this issue:
https://bugs.debian.org/832577
Cheers,
Sebastian
--
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x2F1FFCC7 +++ http://tokkee.org/
Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin
[signature.asc (application/pgp-signature, inline)]
Changed Bug title to 'Heap overflow in the network plugin (CVE-2016-6254)' from 'Heap overflow in the network plugin'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 27 Jul 2016 10:42:06 GMT) (full text, mbox, link).
Reply sent
to Sebastian Harl <tokkee@debian.org>:
You have taken responsibility.
(Fri, 29 Jul 2016 06:21:11 GMT) (full text, mbox, link).
Notification sent
to Florian Forster <octo@collectd.org>:
Bug acknowledged by developer.
(Fri, 29 Jul 2016 06:21:11 GMT) (full text, mbox, link).
Message #17 received at 832507-close@bugs.debian.org (full text, mbox, reply):
Source: collectd
Source-Version: 5.5.2-1
We believe that the bug you reported is fixed in the latest version of
collectd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 832507@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Harl <tokkee@debian.org> (supplier of updated collectd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 29 Jul 2016 00:02:11 +0200
Source: collectd
Binary: collectd-core collectd collectd-utils collectd-dbg collectd-dev libcollectdclient-dev libcollectdclient1
Architecture: source
Version: 5.5.2-1
Distribution: unstable
Urgency: high
Maintainer: Sebastian Harl <tokkee@debian.org>
Changed-By: Sebastian Harl <tokkee@debian.org>
Description:
collectd - statistics collection and monitoring daemon
collectd-core - statistics collection and monitoring daemon (core system)
collectd-dbg - statistics collection and monitoring daemon (debugging symbols)
collectd-dev - statistics collection and monitoring daemon (development files)
collectd-utils - statistics collection and monitoring daemon (utilities)
libcollectdclient-dev - client library for collectd's control interface (development file
libcollectdclient1 - client library for collectd's control interface
Closes: 829634 832507 832577
Changes:
collectd (5.5.2-1) unstable; urgency=high
.
* New upstream release.
- Fix heap overflow in the network plugin. Emilien Gaspar has identified a
heap overflow in parse_packet(), the function used by the network plugin
to parse incoming network packets. Thanks to Florian Forster for
reporting the bug in Debian. (Closes: #832507, CVE-2016-6254)
- Fix improper usage of gcry_control. A team of security researchers at
Columbia University and the University of Virginia discovered that
GCrypt's gcry_control is sometimes called without checking its return
value for an error. This may cause the program to be initialized without
the desired, secure settings. (Closes: #832577)
* debian/patches:
- bts832577-gcry-control.patch: Update for 5.5.2. Mostly part of the new
upstream release, except for: Don't abort() if gcrypt initialization
failed.
- Drop bts823012_librrd8.patch; merged upstream.
* Rebuild with linux-libc-dev >= 4.6 (now in testing and unstable) to
accommodate a change to rtnl_link_stats64. Thanks to Gábor Gombás for
reporting this (Closes: #829634).
Checksums-Sha1:
9e8737c6f85aa7cee060cf6d8107744e2f1aa5d3 3681 collectd_5.5.2-1.dsc
076cb021a16120988abfdd19c4e80fade26c55c2 2259231 collectd_5.5.2.orig.tar.gz
312a8ec61863e615a977e1bb08ebd75a4a28d3bb 71188 collectd_5.5.2-1.debian.tar.xz
Checksums-Sha256:
91fc9a563d442b9bd03368c0ecab85929acf00704b34a25f405c5953163a9da0 3681 collectd_5.5.2-1.dsc
8013ae74df2b90ec8a8e7ac5da7638e165199021eca5f423ff8ee19feac649ba 2259231 collectd_5.5.2.orig.tar.gz
f628b67c7fafe4f2c573f9a8c9a898bbbb3f606f69f1b60b442bf812f5444d25 71188 collectd_5.5.2-1.debian.tar.xz
Files:
fef24fc74ae938568d66d4ef63386434 3681 utils optional collectd_5.5.2-1.dsc
58ce766e4744837945b184af576d4b17 2259231 utils optional collectd_5.5.2.orig.tar.gz
2b8192834538527cf89c62365fe9789b 71188 utils optional collectd_5.5.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJXmvHwAAoJEMwFfnIvH/zHC+QQALtLU7hqZ10LcEDmP9RhiktH
YIKlczxvqh4UXox4zBbgfj0JLa812cyGHDfOBSonCwZ1YYaowYi32pDxdIhLsXN/
D72HP0TI/FkDreaoQXNio1lmL6PtVY2F+FODcY/nDtjvWljx85cK/Rf7LIPBA3Rc
+jHejA6/htO1Pulkt4VSORQZoW7SgQteRWppQ4hifC9GSC82LHzQpoxX9Pw4Gqy+
/4RhKoACrveZFq4sid7dq6z2Tum5XBp8XSn7REg60jFAY9TzejCnJCYz5r6fUwBJ
3AyszuRUxnbtvG4lGPE0fAHOTve1sCjr69+050iABkDgcpaZSR4FGrNKBfowmohS
7lL19M5pWdKgrkS0qxppM5H+fSZyl5++gdOtVND6h7/e3sM1VxrqaWwH7LD7DlYt
CfXjUMmIGeo6tzV7eWHnRQnyHaCaw52pkhQ8qIQ0yPmxUFrwPQ8+E4LieDkuhmbZ
5Hl2V8ZPcjpE6hGPz5EDe5GhVZ/IiRZr1Q/IJ65YKMnOnEKpis2l/1a59JSiO8wL
opQZxKPuodR7hWBoNlW1zlE6TP77QlY5BRvonw73OVUMycPQxHQZ1YlIV4vAc3Cn
9+yAsHLS0MInuCtvokqpSjqeuDDQa86UuSXayCYwmCropUdfNnnzpqvG+S6WwzWs
de2h7/RulaxIt5DA+sZL
=PumS
-----END PGP SIGNATURE-----
Reply sent
to Sebastian Harl <tokkee@debian.org>:
You have taken responsibility.
(Sat, 17 Sep 2016 19:54:15 GMT) (full text, mbox, link).
Notification sent
to Florian Forster <octo@collectd.org>:
Bug acknowledged by developer.
(Sat, 17 Sep 2016 19:54:15 GMT) (full text, mbox, link).
Message #22 received at 832507-close@bugs.debian.org (full text, mbox, reply):
Source: collectd
Source-Version: 5.4.1-6+deb8u1
We believe that the bug you reported is fixed in the latest version of
collectd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 832507@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Harl <tokkee@debian.org> (supplier of updated collectd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 28 Jul 2016 22:25:08 +0200
Source: collectd
Binary: collectd-core collectd collectd-utils collectd-dbg collectd-dev libcollectdclient-dev libcollectdclient1
Architecture: source amd64 all
Version: 5.4.1-6+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Sebastian Harl <tokkee@debian.org>
Changed-By: Sebastian Harl <tokkee@debian.org>
Description:
collectd - statistics collection and monitoring daemon
collectd-core - statistics collection and monitoring daemon (core system)
collectd-dbg - statistics collection and monitoring daemon (debugging symbols)
collectd-dev - statistics collection and monitoring daemon (development files)
collectd-utils - statistics collection and monitoring daemon (utilities)
libcollectdclient-dev - client library for collectd's control interface (development file
libcollectdclient1 - client library for collectd's control interface
Closes: 832507 832577
Changes:
collectd (5.4.1-6+deb8u1) jessie-security; urgency=high
.
* debian/patches/CVE-2016-6254.dpatch: Fix heap overflow in the network
plugin. Emilien Gaspar has identified a heap overflow in parse_packet(),
the function used by the network plugin to parse incoming network packets.
Thanks to Florian Forster for reporting the bug in Debian.
(Closes: #832507, CVE-2016-6254)
* debian/patches/bts832577-gcry-control.dpatch: Fix improper usage of
gcry_control. A team of security researchers at Columbia University and
the University of Virginia discovered that GCrypt's gcry_control is
sometimes called without checking its return value for an error. This may
cause the program to be initialized without the desired, secure settings.
(Closes: #832577)
Checksums-Sha1:
98704c3a7cf59e643d8f48f3968e6395ca712989 3390 collectd_5.4.1-6+deb8u1.dsc
faaccac4daf48449bcefc9d6f9236f98a5dd5b4b 1894132 collectd_5.4.1.orig.tar.gz
8f562d43cfa0d1c21e7016d3d5113359faf6e75c 86934 collectd_5.4.1-6+deb8u1.diff.gz
04989630cf287313eb1a8e98b0a34de0ffcc0d1c 777678 collectd-core_5.4.1-6+deb8u1_amd64.deb
4dc43ab457a9ea99a0e6fdb60e76f5e911237e06 87046 collectd_5.4.1-6+deb8u1_amd64.deb
2650bf1c952e1c2fd637cddca26ffad529c67466 101360 collectd-utils_5.4.1-6+deb8u1_amd64.deb
548c3c152b61acbdc3faa385b2f02a9b7537026d 1002802 collectd-dbg_5.4.1-6+deb8u1_amd64.deb
beaf4a2956bfa96198c3a038f20dc756f763df3c 81048 libcollectdclient-dev_5.4.1-6+deb8u1_amd64.deb
5942c7dcd6877822262dd54b8d866582f30e77ba 90494 libcollectdclient1_5.4.1-6+deb8u1_amd64.deb
05b5e867f1aa1dd811cc1a6adaa27d13d01c07c0 116554 collectd-dev_5.4.1-6+deb8u1_all.deb
Checksums-Sha256:
d0511d484ea28dc78407891cb583a99f906722c433a20fb5bccfe653beadc4d9 3390 collectd_5.4.1-6+deb8u1.dsc
853680936893df00bfc2be58f61ab9181fecb1cf45fc5cddcb7d25da98855f65 1894132 collectd_5.4.1.orig.tar.gz
086da0254961bc40a58a4455425048fe86faeb6ae7220935db228a814ad78f5e 86934 collectd_5.4.1-6+deb8u1.diff.gz
af34f4e9779d9841d2a7d92c065b16f39ee0a5c0c49d3d6cc6f58223a0ca8379 777678 collectd-core_5.4.1-6+deb8u1_amd64.deb
031272950d9347bb7be77ce1cd6884566ca082b260e85f3ad8268c1ef4ec0663 87046 collectd_5.4.1-6+deb8u1_amd64.deb
cdd39b41a4cfdf9def7cc0ece0eaaf8d1e1ce7188f6d702f71940cda5daf2df8 101360 collectd-utils_5.4.1-6+deb8u1_amd64.deb
540e6292212626c776dd018329c4463bdbdf65e297d0ca245232cb4164f2fca5 1002802 collectd-dbg_5.4.1-6+deb8u1_amd64.deb
17be16fd2ed08add9dfba3b9766d8a2add85ef41b42ad4456b91538a5344475e 81048 libcollectdclient-dev_5.4.1-6+deb8u1_amd64.deb
bfb821894e320a2adc72a88797c13110252b4f78717d8defe7f098e1524d5a6d 90494 libcollectdclient1_5.4.1-6+deb8u1_amd64.deb
e15d95fce232af77b914c5f84e0827230afc4d83d96fca852dae10669984dc92 116554 collectd-dev_5.4.1-6+deb8u1_all.deb
Files:
21a12fdc30dfd8285e6ff04b9b5b3ec2 3390 utils optional collectd_5.4.1-6+deb8u1.dsc
6514ab3f7fd2135d2713f1ab25068841 1894132 utils optional collectd_5.4.1.orig.tar.gz
f45feb2fe33ffdc563503e89670918d8 86934 utils optional collectd_5.4.1-6+deb8u1.diff.gz
446f58179fb445f2a36320fc4b0b2fa3 777678 utils optional collectd-core_5.4.1-6+deb8u1_amd64.deb
0fc2eb1467280c25724b7bcc6237a818 87046 utils optional collectd_5.4.1-6+deb8u1_amd64.deb
6fa83a1dfccdfd686c32a3e8dfcee0bb 101360 utils optional collectd-utils_5.4.1-6+deb8u1_amd64.deb
58bad551731edf9b237e058a89843d20 1002802 debug extra collectd-dbg_5.4.1-6+deb8u1_amd64.deb
a3df53fca0bac4ade8a1d2432cbcfe95 81048 libdevel optional libcollectdclient-dev_5.4.1-6+deb8u1_amd64.deb
bb738c04e45a3dd319979b1eefb79aa0 90494 libs optional libcollectdclient1_5.4.1-6+deb8u1_amd64.deb
d559a096de0fe10af099ff0c8ce12ef9 116554 utils optional collectd-dev_5.4.1-6+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJXm7OSAAoJEMwFfnIvH/zHTgkQAKDdfm7yRIYhPm66B1PyV4/O
gqo4wCJM+I9F/alc7MECvKbskVpf27CTOykMhhbEZ3Tyry4Gf4AcXhBGltW2O+kD
9/vA/UK0TiwzWuhh/XTH6iSWhOFcUue7NPUojdCtdLEBrZQYS4mlh5qm3bKdTOqF
das1oQkvtWbFb3IA+BmYxdb5LyEMSRhjo33nVmujQOs51EJEqM5GU1oGEywB/IdM
AWk+Hh4FcmQtcUSKfUEOtZlkqKjqf94aN5gjvOZ/COrEqMJf9NYRuiJh0K78F9w7
Yp1WsVWI/K0TsR9XsFb9UAfNoEbcQYbtg3yjjTT6zq7Rq4AaHKzkoFhe85mtO5l9
m7baSnnQ9BsnIuIlwPC+rJJDZR43JVUe2U7EyPQuqOn3qhPAsdcQmtWB1DSTl51o
+HC/NQDSnMY2CeSJ9lvQs+q1JX3QrhVnodhW3PtK8vH6uZvupRisHXsWCmUgVGvj
3VuPJyuzbDUjETedARHiUaGH86+ToSl4qmzxlMPvW9k7waRoHHKYNAJ4zVabkbDY
zfisU4C+y7GWgrIb20VlgNbliT8PBb/+wp+/UyA+6I+wM8OCkY9XE7DnU0YFgBz0
zCS0KjiDpqo6w+rrYJ66s1pg03mPZO5ZPWWGgm3J/JlkZ1cpP8wd4enp8CmeDkrm
S8xFEJKqB3bsbigXNoxt
=r5qP
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 02 Nov 2016 07:25:00 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:15:31 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon