CVE-2017-16820 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16820): The csnmp_read_table function in snmp.c in the SNMP plugin in collectd before 5.6.3 is susceptible to a double free in a certain error case, which could lead to a crash (or potentially have other impact).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9a70b58bd58ff19395c55abbf0a2e620a5a56f3a commit 9a70b58bd58ff19395c55abbf0a2e620a5a56f3a Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-01-25 22:34:18 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-01-25 22:34:34 +0000 app-admin/collectd: bump, fixes CVE-2017-16820 & #628540 Ebuild changes: =============== - To address bug 628540, we no longer run collectd in daemon mode, instead we will run collectd everywhere in foreground and let the init system handle the PID file. - /run/collectd/ (default location for collectd's UNIX socket) is now maintained using tmpfiles service. Bug: https://bugs.gentoo.org/628540 Bug: https://bugs.gentoo.org/637538 Package-Manager: Portage-2.3.20, Repoman-2.3.6 app-admin/collectd/collectd-5.7.2-r1.ebuild | 541 +++++++++++++++++++++ .../files/collectd-5.7.2-CVE-2017-16820.patch | 39 ++ app-admin/collectd/files/collectd.confd-r2 | 49 ++ app-admin/collectd/files/collectd.initd-r2 | 70 +++ app-admin/collectd/files/collectd.tmpfile | 1 + 5 files changed, 700 insertions(+)}
Stabilization will happen in bug 628540.
Added to existing GLSA.
This issue was resolved and addressed in GLSA 201803-10 at https://security.gentoo.org/glsa/201803-10 by GLSA coordinator Christopher Diaz Riveros (chrisadr).
