Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 428776 (CVE-2012-3448)

Summary: <sys-cluster/ganglia-3.3.7: Unspecified PHP Code Execution Vulnerability (CVE-2012-3448)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: cluster, jsbronder, SebastianLuther
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/50047/
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-07-31 09:01:52 UTC 
Description
A vulnerability has been reported in Ganglia, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an unspecified error and can be exploited to execute arbitrary PHP code.

The vulnerability is reported in versions 3.1.7 through 3.5.0. Other versions may also be affected.


Solution
Update to version 3.5.1.
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-08-02 01:58:52 UTC 
CVE assignment per http://www.openwall.com/lists/oss-security/2012/08/02/1
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-08-07 01:02:36 UTC 
CVE-2012-3448 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3448):
  Unspecified vulnerability in Ganglia Web before 3.5.1 allows remote
  attackers to execute arbitrary PHP code via unknown attack vectors.
Comment 3 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-09-02 19:48:45 UTC 
*** Bug 433048 has been marked as a duplicate of this bug. ***
Comment 4 Justin Bronder (RETIRED) gentoo-dev 2012-09-04 03:39:09 UTC 
*ganglia-web-3.5.2 (04 Sep 2012)

  04 Sep 2012; Justin Bronder <jsbronder@gentoo.org> +ganglia-web-3.5.2.ebuild,
  +metadata.xml:
  Add sys-cluster/ganglia-web to match upstream development. Resolves #428776
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-09-04 16:07:29 UTC 
(In reply to comment #4)
> *ganglia-web-3.5.2 (04 Sep 2012)
> 
>   04 Sep 2012; Justin Bronder <jsbronder@gentoo.org>
> +ganglia-web-3.5.2.ebuild,
>   +metadata.xml:
>   Add sys-cluster/ganglia-web to match upstream development. Resolves #428776

Thanks, Justin. So ganglia-web replaces ganglia? And are we ready to stabilize 3.5.2?
Comment 6 Justin Bronder (RETIRED) gentoo-dev 2012-09-04 17:14:47 UTC 
(In reply to comment #5)
> (In reply to comment #4)
> > *ganglia-web-3.5.2 (04 Sep 2012)
> > 
> >   04 Sep 2012; Justin Bronder <jsbronder@gentoo.org>
> > +ganglia-web-3.5.2.ebuild,
> >   +metadata.xml:
> >   Add sys-cluster/ganglia-web to match upstream development. Resolves #428776
> 
> Thanks, Justin. So ganglia-web replaces ganglia? And are we ready to
> stabilize 3.5.2?

ganglia-web replaces the web component of ganglia which had this vulnerability.  I'd like to let the two sit in the tree for a couple of weeks just to get some usage before going for stable as this is a decent sized change to how things were being packaged.

However, if the security team thinks this vulnerability should be addressed now, then I have no problem with going ahead with stabilization.
Comment 7 Justin Bronder (RETIRED) gentoo-dev 2012-09-17 13:01:49 UTC 
Been a couple of weeks with no bugs, please feel free to go forward with stabilization.
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-09-17 14:34:47 UTC 
Targets:
=sys-cluster/ganglia-3.4.0 amd64 ppc x86
=sys-cluster/ganglia-web-3.5.2 amd64 ppc x86
Comment 9 Andreas Schürch gentoo-dev 2012-09-19 05:26:17 UTC 
(In reply to comment #8)
> Targets:
> =sys-cluster/ganglia-3.4.0 amd64 ppc x86

There is no ganglia-3.4.0 in the tree up to now!?
# ls /usr/portage/sys-cluster/ganglia
ChangeLog  Manifest  files  ganglia-3.2.0.ebuild  ganglia-3.3.7.ebuild  metadata.xml
Comment 10 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-09-19 05:47:12 UTC 
(In reply to comment #9)
> (In reply to comment #8)
> > Targets:
> > =sys-cluster/ganglia-3.4.0 amd64 ppc x86
> 
> There is no ganglia-3.4.0 in the tree up to now!?
> # ls /usr/portage/sys-cluster/ganglia
> ChangeLog  Manifest  files  ganglia-3.2.0.ebuild  ganglia-3.3.7.ebuild 
> metadata.xml

You're right. Sorry for that I've looked in a wrong place.
Correct targets:
=sys-cluster/ganglia-3.3.7 amd64 ppc x86
=sys-cluster/ganglia-web-3.5.2 amd64 ppc x86
Comment 11 Andreas Schürch gentoo-dev 2012-09-19 13:01:38 UTC 
x86 done.
Comment 12 Vicente Olivert Riera (RETIRED) gentoo-dev 2012-09-21 21:02:43 UTC 
=sys-cluster/ganglia-3.3.7 tested on amd64.
A part of bug 435784, everything looks fine.
Comment 13 Vicente Olivert Riera (RETIRED) gentoo-dev 2012-09-21 21:09:33 UTC 
=sys-cluster/ganglia-web-3.5.2 tested amd64.
Comment 14 Agostino Sarubbo gentoo-dev 2012-09-22 12:13:33 UTC 
amd64 stable
Comment 15 Anthony Basile gentoo-dev 2012-09-22 13:49:40 UTC 
stable ppc
Comment 16 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-22 18:29:14 UTC 
Thanks, everyone.

Filing a new GLSA request.
Comment 17 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-12 00:43:42 UTC 
This issue was resolved and addressed in
 GLSA 201412-10 at http://security.gentoo.org/glsa/glsa-201412-10.xml
by GLSA coordinator Sean Amoss (ackle).