Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 255366 (CVE-2009-0241) - sys-cluster/ganglia: Buffer overflow in gmetad (CVE-2009-0241)
Summary: sys-cluster/ganglia: Buffer overflow in gmetad (CVE-2009-0241)
Status: RESOLVED FIXED
Alias: CVE-2009-0241
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://bugzilla.ganglia.info/cgi-bin/...
Whiteboard: B1 [glsa]
Keywords:
: 255353 (view as bug list)
Depends on: 255593
Blocks:
  Show dependency tree
 
Reported: 2009-01-18 11:16 UTC by Matti Bickel (RETIRED)
Modified: 2009-03-10 14:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matti Bickel (RETIRED) gentoo-dev 2009-01-18 11:16:17 UTC
From the bug report:

=== Buffer overflow
It is possible to instantly crash gmetad by crafting a special request to be
sent to the interactive port.

In process_path() a char element[256] is allocated to contain the pieces of the
path as it is processed. If a request is made with a path element longer than
that the strncpy call will write to invalid memory location, since there is no
length checking performed on the input data to make sure it is less than the
size of element.

Secunia (http://secunia.com/advisories/33506/) claims system compromise possible (with the rights of the user running gmetad). But i haven't verified this yet.
Comment 1 Matti Bickel (RETIRED) gentoo-dev 2009-01-18 11:19:28 UTC
There's a patch for this in the original report:
http://bugzilla.ganglia.info/cgi-bin/bugzilla/attachment.cgi?id=188&action=view

herd, do you want to provide an patched ebuild or wait for a new version?
Comment 2 Justin Bronder (RETIRED) gentoo-dev 2009-01-18 21:13:39 UTC
Patch added to 3.1.1-r1.  Thanks for letting me know, I haven't been keeping up with the dev list.
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-01-18 21:17:46 UTC
Reopening, as we should first see if mabi's whiteboard status is correct and we need a GLSA.
Comment 4 Christian Hoffmann (RETIRED) gentoo-dev 2009-01-18 21:45:42 UTC
Unless 3.0.x is known to be not vulnerable, we need to get this stable on x86 first, otherwise it would be ~1 anyway and not Bn.
hp-cluster herd, is =sys-cluster/ganglia-3.1.1-r1 ready to go stable on x86?

If yes, you can already CC x86@g.o if you want, or just note it on the bug.
Comment 5 Justin Bronder (RETIRED) gentoo-dev 2009-01-18 22:05:15 UTC
*** Bug 255353 has been marked as a duplicate of this bug. ***
Comment 6 Justin Bronder (RETIRED) gentoo-dev 2009-01-18 22:07:56 UTC
According to #255353, this affects all versions of ganglia currently in the tree.

x86 please mark ganglia-3.1.1-r1 as stable, src_test is expected to succeed.

Sorry for closing this too quickly earlier.
Comment 7 Christian Hoffmann (RETIRED) gentoo-dev 2009-01-18 22:12:02 UTC
Thanks, adapting whiteboard.
Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-01-20 06:44:09 UTC
Sorry, x86, we need a new patch before stabling..

In bug 255593 was reported that with the patch we used, another overflow is unveiled.

Updated patch here: http://bugzilla.ganglia.info/cgi-bin/bugzilla/attachment.cgi?id=189&action=view
Comment 9 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-01-20 19:30:16 UTC
Alright, new Patch is applied.

x86 team, same procedure as in comment 6 please, only this time with sys-cluster/ganglia-3.1.1-r2.
Sorry again for the confusion.
Comment 10 Markus Meier gentoo-dev 2009-01-21 22:16:45 UTC
x86 stable, all arches done.
Comment 11 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-01-22 21:15:00 UTC
CVE-2009-0241 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0241):
  Stack-based buffer overflow in the process_path function in
  gmetad/server.c in Ganglia 3.1.1 allows remote attackers to cause a
  denial of service (crash) via a request to the gmetad service with a
  long pathname.

CVE-2009-0242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0242):
  Ganglia 3.1.1 allows remote attackers to cause a denial of service
  via a request to the gmetad service with a path does not exist, which
  causes Ganglia to (1) perform excessive CPU computation and (2) send
  the entire tree, which consumes network bandwidth.
Comment 12 Carlo Marcelo Arenas Belon 2009-01-23 09:10:39 UTC
(In reply to comment #11)
> CVE-2009-0241 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0241):
>   Stack-based buffer overflow in the process_path function in
>   gmetad/server.c in Ganglia 3.1.1 allows remote attackers to cause a
>   denial of service (crash) via a request to the gmetad service with a
>   long pathname.

this is the vulnerability that was patched and was being tracked upstream

> CVE-2009-0242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0242):
>   Ganglia 3.1.1 allows remote attackers to cause a denial of service
>   via a request to the gmetad service with a path does not exist, which
>   causes Ganglia to (1) perform excessive CPU computation and (2) send
>   the entire tree, which consumes network bandwidth.

this is most likely just a confusion generated by the way the bug was originally reported and that also included a proposal (which was not accepted) to add a feature which could trigger this behaviour, but that has been otherwise considered invalid as shown by :

  https://bugzilla.redhat.com/show_bug.cgi?id=480960
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2009-02-03 00:12:27 UTC
GLSA request filed.
Comment 14 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-02-04 05:12:42 UTC
CVE-2009-0242 has been officially rejected (via oss-sec).
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2009-03-10 14:27:52 UTC
GLSA 200903-22