From the bug report: === Buffer overflow It is possible to instantly crash gmetad by crafting a special request to be sent to the interactive port. In process_path() a char element[256] is allocated to contain the pieces of the path as it is processed. If a request is made with a path element longer than that the strncpy call will write to invalid memory location, since there is no length checking performed on the input data to make sure it is less than the size of element. Secunia (http://secunia.com/advisories/33506/) claims system compromise possible (with the rights of the user running gmetad). But i haven't verified this yet.
There's a patch for this in the original report: http://bugzilla.ganglia.info/cgi-bin/bugzilla/attachment.cgi?id=188&action=view herd, do you want to provide an patched ebuild or wait for a new version?
Patch added to 3.1.1-r1. Thanks for letting me know, I haven't been keeping up with the dev list.
Reopening, as we should first see if mabi's whiteboard status is correct and we need a GLSA.
Unless 3.0.x is known to be not vulnerable, we need to get this stable on x86 first, otherwise it would be ~1 anyway and not Bn. hp-cluster herd, is =sys-cluster/ganglia-3.1.1-r1 ready to go stable on x86? If yes, you can already CC x86@g.o if you want, or just note it on the bug.
*** Bug 255353 has been marked as a duplicate of this bug. ***
According to #255353, this affects all versions of ganglia currently in the tree. x86 please mark ganglia-3.1.1-r1 as stable, src_test is expected to succeed. Sorry for closing this too quickly earlier.
Thanks, adapting whiteboard.
Sorry, x86, we need a new patch before stabling.. In bug 255593 was reported that with the patch we used, another overflow is unveiled. Updated patch here: http://bugzilla.ganglia.info/cgi-bin/bugzilla/attachment.cgi?id=189&action=view
Alright, new Patch is applied. x86 team, same procedure as in comment 6 please, only this time with sys-cluster/ganglia-3.1.1-r2. Sorry again for the confusion.
x86 stable, all arches done.
CVE-2009-0241 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0241): Stack-based buffer overflow in the process_path function in gmetad/server.c in Ganglia 3.1.1 allows remote attackers to cause a denial of service (crash) via a request to the gmetad service with a long pathname. CVE-2009-0242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0242): Ganglia 3.1.1 allows remote attackers to cause a denial of service via a request to the gmetad service with a path does not exist, which causes Ganglia to (1) perform excessive CPU computation and (2) send the entire tree, which consumes network bandwidth.
(In reply to comment #11) > CVE-2009-0241 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0241): > Stack-based buffer overflow in the process_path function in > gmetad/server.c in Ganglia 3.1.1 allows remote attackers to cause a > denial of service (crash) via a request to the gmetad service with a > long pathname. this is the vulnerability that was patched and was being tracked upstream > CVE-2009-0242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0242): > Ganglia 3.1.1 allows remote attackers to cause a denial of service > via a request to the gmetad service with a path does not exist, which > causes Ganglia to (1) perform excessive CPU computation and (2) send > the entire tree, which consumes network bandwidth. this is most likely just a confusion generated by the way the bug was originally reported and that also included a proposal (which was not accepted) to add a feature which could trigger this behaviour, but that has been otherwise considered invalid as shown by : https://bugzilla.redhat.com/show_bug.cgi?id=480960
GLSA request filed.
CVE-2009-0242 has been officially rejected (via oss-sec).
GLSA 200903-22
