Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 322457 (CVE-2010-2060) - <app-misc/beanstalkd-1.4.6: Remote command injection (CVE-2010-2060)
Summary: <app-misc/beanstalkd-1.4.6: Remote command injection (CVE-2010-2060)
Status: RESOLVED FIXED
Alias: CVE-2010-2060
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://kr.github.com/beanstalkd/2010/...
Whiteboard: B1? [glsa]
Keywords:
Depends on: 310033
Blocks:
  Show dependency tree
 
Reported: 2010-06-02 09:07 UTC by Johan Bergström
Modified: 2014-12-12 00:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johan Bergström 2010-06-02 09:07:28 UTC 
From changelog:
The put command now discards the entire job body before returning JOB_TOO_BIG. Previously, it interpreted the job body as commands. This was a potential security hole, where malicious users could craft job payload data to inject commands without cooperation from the beanstalk client application.

See version bump request at bug #310033
Comment 1 Patrick Lauer gentoo-dev 2010-06-02 09:24:21 UTC 
Ebuilds for 1.4.6 commited
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2010-06-03 12:40:53 UTC 
Thanks for the report.

What is meant by "remote command injection" here? Is this arbitrary shell code i.e. "remote execution of arbitray code" or just commands for the tool itself?
Comment 3 Johan Bergström 2010-06-04 16:22:16 UTC 
Tobias,
this command injection was only within beanstalkd, so users could for example do stuff in style with:
put <magic data that will enable execution> <insert beanstalkd command here>
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-15 20:45:19 UTC 
closing without GLSA as this is not stable on any arch
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-15 21:11:38 UTC 
CVE-2010-2060 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2060):
  The put command functionality in beanstalkd 1.4.5 and earlier allows
  remote attackers to execute arbitrary Beanstalk commands via the body
  in a job that is too big, which is not properly handled by the
  dispatch_cmd function in prot.c.
Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-02 10:39:37 UTC 
Reopening as bug 288103 has made 1.3 stable meanwhile.

Patrick, can 1.4.6 go stable?
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-02 10:39:51 UTC 
Actually reopening.
Comment 8 Johan Bergström 2010-08-03 08:01:57 UTC 
I think this version is suitable for stablereq
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2010-08-17 08:03:58 UTC 
x86 stable
Comment 10 Markos Chandras (RETIRED) gentoo-dev 2010-08-17 17:19:10 UTC 
amd64 done
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2010-11-19 18:36:11 UTC 
GLSA Vote: Yes.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 17:07:46 UTC 
GLSA request filed. Why did it get just get a serverity of B4?!
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-12 00:32:23 UTC 
This issue was resolved and addressed in
 GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).