428776 – (CVE-2012-3448) <sys-cluster/ganglia-3.3.7: Unspecified PHP Code Execution Vulnerability (CVE-2012-3448)

Bug 428776 (CVE-2012-3448) - <sys-cluster/ganglia-3.3.7: Unspecified PHP Code Execution Vulnerability (CVE-2012-3448)

Summary: <sys-cluster/ganglia-3.3.7: Unspecified PHP Code Execution Vulnerability (CVE...

Status:	RESOLVED FIXED

Alias:	CVE-2012-3448

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://secunia.com/advisories/50047/
Whiteboard:	B2 [glsa]
Keywords:

Duplicates (1):	433048 (view as bug list)
Depends on:
Blocks:

Reported:	2012-07-31 09:01 UTC by Agostino Sarubbo
Modified:	2014-12-12 00:43 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2012-07-31 09:01:52 UTC

Description
A vulnerability has been reported in Ganglia, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an unspecified error and can be exploited to execute arbitrary PHP code.

The vulnerability is reported in versions 3.1.7 through 3.5.0. Other versions may also be affected.


Solution
Update to version 3.5.1.

Comment 1 Sean Amoss (RETIRED) gentoo-dev

2012-08-02 01:58:52 UTC

CVE assignment per http://www.openwall.com/lists/oss-security/2012/08/02/1

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2012-08-07 01:02:36 UTC

CVE-2012-3448 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3448):
  Unspecified vulnerability in Ganglia Web before 3.5.1 allows remote
  attackers to execute arbitrary PHP code via unknown attack vectors.

Comment 3 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2012-09-02 19:48:45 UTC

*** Bug 433048 has been marked as a duplicate of this bug. ***

Comment 4 Justin Bronder (RETIRED) gentoo-dev

2012-09-04 03:39:09 UTC

*ganglia-web-3.5.2 (04 Sep 2012)

  04 Sep 2012; Justin Bronder <jsbronder@gentoo.org> +ganglia-web-3.5.2.ebuild,
  +metadata.xml:
  Add sys-cluster/ganglia-web to match upstream development. Resolves #428776

Comment 5 Tim Sammut (RETIRED) gentoo-dev

2012-09-04 16:07:29 UTC

(In reply to comment #4)
> *ganglia-web-3.5.2 (04 Sep 2012)
> 
>   04 Sep 2012; Justin Bronder <jsbronder@gentoo.org>
> +ganglia-web-3.5.2.ebuild,
>   +metadata.xml:
>   Add sys-cluster/ganglia-web to match upstream development. Resolves #428776

Thanks, Justin. So ganglia-web replaces ganglia? And are we ready to stabilize 3.5.2?

Comment 6 Justin Bronder (RETIRED) gentoo-dev

2012-09-04 17:14:47 UTC

(In reply to comment #5)
> (In reply to comment #4)
> > *ganglia-web-3.5.2 (04 Sep 2012)
> > 
> >   04 Sep 2012; Justin Bronder <jsbronder@gentoo.org>
> > +ganglia-web-3.5.2.ebuild,
> >   +metadata.xml:
> >   Add sys-cluster/ganglia-web to match upstream development. Resolves #428776
> 
> Thanks, Justin. So ganglia-web replaces ganglia? And are we ready to
> stabilize 3.5.2?

ganglia-web replaces the web component of ganglia which had this vulnerability.  I'd like to let the two sit in the tree for a couple of weeks just to get some usage before going for stable as this is a decent sized change to how things were being packaged.

However, if the security team thinks this vulnerability should be addressed now, then I have no problem with going ahead with stabilization.

Comment 7 Justin Bronder (RETIRED) gentoo-dev

2012-09-17 13:01:49 UTC

Been a couple of weeks with no bugs, please feel free to go forward with stabilization.

Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2012-09-17 14:34:47 UTC

Targets:
=sys-cluster/ganglia-3.4.0 amd64 ppc x86
=sys-cluster/ganglia-web-3.5.2 amd64 ppc x86

Comment 9 Andreas Schürch gentoo-dev

2012-09-19 05:26:17 UTC

(In reply to comment #8)
> Targets:
> =sys-cluster/ganglia-3.4.0 amd64 ppc x86

There is no ganglia-3.4.0 in the tree up to now!?
# ls /usr/portage/sys-cluster/ganglia
ChangeLog  Manifest  files  ganglia-3.2.0.ebuild  ganglia-3.3.7.ebuild  metadata.xml

Comment 10 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2012-09-19 05:47:12 UTC

(In reply to comment #9)
> (In reply to comment #8)
> > Targets:
> > =sys-cluster/ganglia-3.4.0 amd64 ppc x86
> 
> There is no ganglia-3.4.0 in the tree up to now!?
> # ls /usr/portage/sys-cluster/ganglia
> ChangeLog  Manifest  files  ganglia-3.2.0.ebuild  ganglia-3.3.7.ebuild 
> metadata.xml

You're right. Sorry for that I've looked in a wrong place.
Correct targets:
=sys-cluster/ganglia-3.3.7 amd64 ppc x86
=sys-cluster/ganglia-web-3.5.2 amd64 ppc x86

Comment 11 Andreas Schürch gentoo-dev

2012-09-19 13:01:38 UTC

x86 done.

Comment 12 Vicente Olivert Riera (RETIRED) gentoo-dev

2012-09-21 21:02:43 UTC

=sys-cluster/ganglia-3.3.7 tested on amd64.
A part of bug 435784, everything looks fine.

Comment 13 Vicente Olivert Riera (RETIRED) gentoo-dev

2012-09-21 21:09:33 UTC

=sys-cluster/ganglia-web-3.5.2 tested amd64.

Comment 14 Agostino Sarubbo gentoo-dev

2012-09-22 12:13:33 UTC

amd64 stable

Comment 15 Anthony Basile gentoo-dev

2012-09-22 13:49:40 UTC

stable ppc

Comment 16 Sean Amoss (RETIRED) gentoo-dev

2012-09-22 18:29:14 UTC

Thanks, everyone.

Filing a new GLSA request.

Comment 17 Sean Amoss (RETIRED) gentoo-dev

2014-12-12 00:43:42 UTC

This issue was resolved and addressed in
 GLSA 201412-10 at http://security.gentoo.org/glsa/glsa-201412-10.xml
by GLSA coordinator Sean Amoss (ackle).