Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1360709 - (CVE-2016-6254) CVE-2016-6254 collectd: heap overflow in the network plugin
CVE-2016-6254 collectd: heap overflow in the network plugin
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160726,repor...
: Security
Depends On: 1395690 1360710 1360711 1364915 1366931 1366932 1366933 1366934
Blocks: 1360712
  Show dependency treegraph
 
Reported: 2016-07-27 07:24 EDT by Martin Prpič
Modified: 2017-02-06 00:26 EST (History)
26 users (show)

See Also:
Fixed In Version: collectd 5.5.2, collectd 5.4.3
Doc Type: If docs needed, set a value
Doc Text:
A heap-based buffer overflow flaw was found in collectd's network plugin. The flaw allowed a remote attacker to crash the collectd daemon (denial of service) or possibly execute remote code using a crafted network packet. For this flaw to be exploited, the network plugin must be enabled.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-02-06 00:26:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Martin Prpič 2016-07-27 07:24:35 EDT 
The following flaw was found in collectd:

Emilien Gaspar has identified a heap overflow in collectd's network plugin which can be triggered remotely and is potentially exploitable. The identifier CVE-2016-6254 has been assigned to this issue.

This issue has been fixed in the released 5.5.2 and 5.4.3.

Upstream patches:

https://github.com/collectd/collectd/commit/b589096f907052b3a4da2b9ccc9b0e2e888dfc18
https://github.com/collectd/collectd/commit/8b4fed9940e02138b7e273e56863df03d1a39ef7

The second patch is unrelated to CVE-2016-6254. It fixes an initialization issue with libgcrypt which could theoretically lead to a half-initialized library being used.
Comment 1 Martin Prpič 2016-07-27 07:25:30 EDT 
Created collectd tracking bugs for this issue:

Affects: fedora-all [bug 1360710]
Affects: epel-all [bug 1360711]
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.