collectd: CVE-2016-6254

Heap-based buffer overflow in the parse_packet function in network.c in collectd before 5.4.3 and 5.x before 5.5.2 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted network packet. Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2026-05-19 00:36:44 +00:00 · 2016-09-07 12:34:11 +03:00 · 2016-09-07 12:34:11 +03:00 · 4fad615950
commit 4fad615950
parent 2f157021ff
2 changed files with 56 additions and 0 deletions
--- a/meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch
+++ b/meta-oe/recipes-extended/collectd/collectd/CVE-2016-6254.patch
@ -0,0 +1,55 @@
+From dd8483a4beb6f61521d8b32c726523bbea21cd92 Mon Sep 17 00:00:00 2001
+From: Florian Forster <octo@collectd.org>
+Date: Tue, 19 Jul 2016 10:00:37 +0200
+Subject: [PATCH] network plugin: Fix heap overflow in parse_packet().
+
+Emilien Gaspar has identified a heap overflow in parse_packet(), the
+function used by the network plugin to parse incoming network packets.
+
+This is a vulnerability in collectd, though the scope is not clear at
+this point. At the very least specially crafted network packets can be
+used to crash the daemon. We can't rule out a potential remote code
+execution though.
+
+Fixes: CVE-2016-6254
+
+cherry picked from upstream commit b589096f
+
+Upstream Status: Backport
+
+Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
+---
+ src/network.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/network.c b/src/network.c
+index 551bd5c..cb979b2 100644
+--- a/src/network.c
+++ b/src/network.c
+@@ -1444,6 +1444,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
+ 				printed_ignore_warning = 1;
+ 			}
+ 			buffer = ((char *) buffer) + pkg_length;
+			buffer_size -= (size_t) pkg_length;
+ 			continue;
+ 		}
+ #endif /* HAVE_LIBGCRYPT */
+@@ -1471,6 +1472,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
+ 				printed_ignore_warning = 1;
+ 			}
+ 			buffer = ((char *) buffer) + pkg_length;
+			buffer_size -= (size_t) pkg_length;
+ 			continue;
+ 		}
+ #endif /* HAVE_LIBGCRYPT */
+@@ -1612,6 +1614,7 @@ static int parse_packet (sockent_t *se, /* {{{ */
+ 			DEBUG ("network plugin: parse_packet: Unknown part"
+ 					" type: 0x%04hx", pkg_type);
+ 			buffer = ((char *) buffer) + pkg_length;
+			buffer_size -= (size_t) pkg_length;
+ 		}
+ 	} /* while (buffer_size > sizeof (part_header_t)) */
+ 
+-- 
+2.7.4
+
--- a/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
+++ b/meta-oe/recipes-extended/collectd/collectd_5.5.0.bb
@ -13,6 +13,7 @@ SRC_URI = "http://collectd.org/files/collectd-${PV}.tar.bz2 \
           file://collectd.service \
           file://0001-conditionally-check-libvirt.patch \
           file://0001-collectd-replace-deprecated-readdir_r-with-readdir.patch \
+           file://CVE-2016-6254.patch \
 "
 SRC_URI[md5sum] = "c39305ef5514b44238b0d31f77e29e6a"
 SRC_URI[sha256sum] = "847684cf5c10de1dc34145078af3fcf6e0d168ba98c14f1343b1062a4b569e88"