Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 471894 (CVE-2013-2131) - <net-analyzer/rrdtool-1.4.8: Crashes on format string exploit (CVE-2013-2131)
Summary: <net-analyzer/rrdtool-1.4.8: Crashes on format string exploit (CVE-2013-2131)
Status: RESOLVED FIXED
Alias: CVE-2013-2131
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 505344
Blocks:
  Show dependency tree
 
Reported: 2013-05-31 10:12 UTC by Agostino Sarubbo
Modified: 2014-06-29 21:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-05-31 10:12:58 UTC 
From ${URL} :

Thomas Pollet (thomas.pollet@gmail.com) reports:

Also, the rrdtool python module crashes on format string exploit
$ python -c "import rrdtool
rrdtool.graph('/tmp/out.png','-f','%n%n')"
Segmentation fault

this module is used by zenoss to create graphs (zenoss users are able to
pass arguments to rrdtool).


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-02 21:28:55 UTC 
Fix at [1], note that Red Hat is of the opinion [2] that this is not a security bug.

[1] https://github.com/oetiker/rrdtool-1.x/pull/397
[2] https://bugzilla.redhat.com/show_bug.cgi?id=969296#c6
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-16 17:04:17 UTC 
Arch teams, please test and mark stable:
=net-analyzer/rrdtool-1.4.8
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 3 Agostino Sarubbo gentoo-dev 2014-03-18 16:08:10 UTC 
ia64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-03-19 13:39:39 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-03-19 13:39:54 UTC 
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-03-19 14:13:57 UTC 
alpha stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-20 14:15:01 UTC 
Stable for HPPA.
Comment 8 Markus Meier gentoo-dev 2014-03-22 21:32:12 UTC 
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-03-23 14:55:38 UTC 
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-03-24 14:29:18 UTC 
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-05-14 16:11:29 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2014-06-18 01:52:03 UTC 
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-29 21:00:22 UTC 
GLSA vote: no.

Closing as [noglsa].