collectd: upstream fix for vulnerability in network plugin

Import an upstream fix for a DDoS vulnerability in the network plugin: CVE-2017-7401 Refresh patches. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

collectd: upstream fix for vulnerability in network plugin
b7ae80dc · Hannu Nyman · 6a50d475 · b7ae80dc · b7ae80dc · b7ae80dc
Commit b7ae80dc authored 7 years ago by Hannu Nyman
--- a/utils/collectd/Makefile
+++ b/utils/collectd/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=collectd
 PKG_VERSION:=5.7.1
-PKG_RELEASE:=4
+PKG_RELEASE:=5

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=https://collectd.org/files/ \

--- a/utils/collectd/patches/050-upstream-fix-for-network-plugin-ddos.patch
+++ b/utils/collectd/patches/050-upstream-fix-for-network-plugin-ddos.patch
+From f6be4f9b49b949b379326c3d7002476e6ce4f211 Mon Sep 17 00:00:00 2001
+From: Pavel Rochnyack <pavel2000@ngs.ru>
+Date: Mon, 3 Apr 2017 11:57:09 +0600
+Subject: [PATCH] network plugin: Fix endless loop DOS in parse_packet()
+
+When correct 'Signature part' is received by Collectd, configured without
+AuthFile option, condition for endless loop occurs due to missing increase
+of pointer to next unprocessed part.
+
+Fixes: CVE-2017-7401
+
+Signed-off-by: Florian Forster <octo@collectd.org>
+
+
+--- a/src/network.c
+++ b/src/network.c
+@@ -1003,14 +1003,6 @@ static int parse_part_sign_sha256(socken
+   buffer_len = *ret_buffer_len;
+   buffer_offset = 0;
+ 
+-  if (se->data.server.userdb == NULL) {
+-    c_complain(
+-        LOG_NOTICE, &complain_no_users,
+-        "network plugin: Received signed network packet but can't verify it "
+-        "because no user DB has been configured. Will accept it.");
+-    return (0);
+-  }
+-
+   /* Check if the buffer has enough data for this structure. */
+   if (buffer_len <= PART_SIGNATURE_SHA256_SIZE)
+     return (-ENOMEM);
+@@ -1027,6 +1019,18 @@ static int parse_part_sign_sha256(socken
+     return (-1);
+   }
+ 
+  if (se->data.server.userdb == NULL) {
+    c_complain(
+        LOG_NOTICE, &complain_no_users,
+        "network plugin: Received signed network packet but can't verify it "
+        "because no user DB has been configured. Will accept it.");
+
+    *ret_buffer = buffer + pss_head_length;
+    *ret_buffer_len -= pss_head_length;
+
+    return (0);
+  }
+
+   /* Copy the hash. */
+   BUFFER_READ(pss.hash, sizeof(pss.hash));
+ 
--- a/utils/collectd/patches/700-disable-sys-capability-check.patch
+++ b/utils/collectd/patches/700-disable-sys-capability-check.patch
 --- a/configure.ac
 +++ b/configure.ac
-@@ -833,10 +833,7 @@
+@@ -830,10 +830,7 @@ fi
 have_cpuid_h="no"
 AC_CHECK_HEADERS(cpuid.h, [have_cpuid_h="yes"])
 

--- a/utils/collectd/patches/900-add-iwinfo-plugin.patch
+++ b/utils/collectd/patches/900-add-iwinfo-plugin.patch
@@ -10,7 +10,7 @@
 # For the turbostat plugin
 have_asm_msrindex_h="no"
 AC_CHECK_HEADERS(asm/msr-index.h, [have_asm_msrindex_h="yes"])
-@@ -5946,6 +5949,7 @@ plugin_interface="no"
+@@ -5943,6 +5946,7 @@ plugin_interface="no"
 plugin_ipmi="no"
 plugin_ipvs="no"
 plugin_irq="no"
@@ -18,7 +18,7 @@
 plugin_load="no"
 plugin_log_logstash="no"
 plugin_memory="no"
-@@ -6416,6 +6420,7 @@ AC_PLUGIN([ipmi],                [$plugi
+@@ -6413,6 +6417,7 @@ AC_PLUGIN([ipmi],                [$plugi
 AC_PLUGIN([iptables],            [$with_libiptc],           [IPTables rule counters])
 AC_PLUGIN([ipvs],                [$plugin_ipvs],            [IPVS connection statistics])
 AC_PLUGIN([irq],                 [$plugin_irq],             [IRQ statistics])
@@ -26,7 +26,7 @@
 AC_PLUGIN([java],                [$with_java],              [Embed the Java Virtual Machine])
 AC_PLUGIN([load],                [$plugin_load],            [System load])
 AC_PLUGIN([log_logstash],        [$plugin_log_logstash],    [Logstash json_event compatible logging])
-@@ -6797,6 +6802,7 @@ AC_MSG_RESULT([    libyajl . . . . . . .
+@@ -6794,6 +6799,7 @@ AC_MSG_RESULT([    libyajl . . . . . . .
 AC_MSG_RESULT([    oracle  . . . . . . . $with_oracle])
 AC_MSG_RESULT([    protobuf-c  . . . . . $have_protoc_c])
 AC_MSG_RESULT([    protoc 3  . . . . . . $have_protoc3])
@@ -34,7 +34,7 @@
 AC_MSG_RESULT()
 AC_MSG_RESULT([  Features:])
 AC_MSG_RESULT([    daemon mode . . . . . $enable_daemon])
-@@ -6853,6 +6859,7 @@ AC_MSG_RESULT([    ipmi  . . . . . . . .
+@@ -6850,6 +6856,7 @@ AC_MSG_RESULT([    ipmi  . . . . . . . .
 AC_MSG_RESULT([    iptables  . . . . . . $enable_iptables])
 AC_MSG_RESULT([    ipvs  . . . . . . . . $enable_ipvs])
 AC_MSG_RESULT([    irq . . . . . . . . . $enable_irq])