Bug 1516447 (CVE-2017-16820)

Summary: CVE-2017-16820 collectd: double free in csnmp_read_table function in snmp.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, bmcclain, chrisw, dblechte, eedri, gregswift, jbadiapa, jjoyce, jschluet, jskarvad, kbasil, kevin, lars, lhh, lpeer, mail, markmc, mburns, mgoldboi, mhlavink, michal.skrivanek, mmagr, mrunge, rbryant, rmccabe, ruben, sbonazzo, sclewis, sherold, sisharma, slinaber, ssaha, tdecacqu, vbellur, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: collectd 5.8.0, collectd 5.6.3 Doc Type: If docs needed, set a value
Doc Text:
A double-free vulnerability was found in the csnmp_read_table function in the SNMP plugin of collectd. A network-based attacker could exploit this by sending malformed data, causing collectd to crash or possibly other impact.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:31:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1516449, 1516450, 1516451, 1517567, 1517568, 1540409, 1541204, 1550290, 1558823, 1558834, 1558835    
Bug Blocks: 1516452    

Description Pedro Sampaio 2017-11-22 16:07:48 UTC 
The csnmp_read_table function in snmp.c in the SNMP plugin in collectd before 5.6.3 is susceptible to a double free in a certain error case, which could lead to a crash (or potentially have other impact).

Upstream bug:

https://github.com/collectd/collectd/issues/2291

Upstream patch:

https://github.com/collectd/collectd/commit/d16c24542b2f96a194d43a73c2e5778822b9cb47

References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881757
Comment 1 Pedro Sampaio 2017-11-22 16:08:51 UTC 
Created collectd tracking bugs for this issue:

Affects: epel-6 [bug 1516449]
Affects: epel-7 [bug 1516450]
Affects: fedora-all [bug 1516451]
Comment 2 Joshua Padman 2017-11-23 05:59:38 UTC 
Versions 5.7.x are vulnerable too.

Conditions exist in OSP11/12 package collectd-5.7.2-1.1.el7ost. Still completing analysis.
Comment 3 Joshua Padman 2017-11-24 05:59:18 UTC 
Still determining severity for OSP. collectd was tech preview in 7-9 so marking won't fix for those.
Comment 4 Joshua Padman 2017-11-26 22:10:26 UTC 
collectd is in tech preview in OSP10 as well, marked accordingly.

Fixing in OSP11-12 partly because the security risk but also as a reasonable use case also has potential to crash the application.
Comment 6 errata-xmlrpc 2018-01-30 21:08:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 12.0 Operational Tools for RHEL 7

Via RHSA-2018:0252 https://access.redhat.com/errata/RHSA-2018:0252
Comment 10 errata-xmlrpc 2018-02-13 16:12:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 11.0 Operational Tools for RHEL 7

Via RHSA-2018:0299 https://access.redhat.com/errata/RHSA-2018:0299
Comment 13 errata-xmlrpc 2018-03-20 16:35:43 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for RHEL-7
  Red Hat Virtualization Engine 4.1

Via RHSA-2018:0560 https://access.redhat.com/errata/RHSA-2018:0560
Comment 16 errata-xmlrpc 2018-05-17 15:26:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 Operational Tools for RHEL 7

Via RHSA-2018:1605 https://access.redhat.com/errata/RHSA-2018:1605
Comment 18 errata-xmlrpc 2018-09-04 06:39:04 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.4 for RHEL 7

Via RHSA-2018:2615 https://access.redhat.com/errata/RHSA-2018:2615