Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 322457 (CVE-2010-2060) - <app-misc/beanstalkd-1.4.6: Remote command injection (CVE-2010-2060)
Summary: <app-misc/beanstalkd-1.4.6: Remote command injection (CVE-2010-2060)
Alias: CVE-2010-2060
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B1? [glsa]
Depends on: 310033
  Show dependency tree
Reported: 2010-06-02 09:07 UTC by Johan Bergström
Modified: 2014-12-12 00:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Johan Bergström 2010-06-02 09:07:28 UTC
From changelog:
The put command now discards the entire job body before returning JOB_TOO_BIG. Previously, it interpreted the job body as commands. This was a potential security hole, where malicious users could craft job payload data to inject commands without cooperation from the beanstalk client application.

See version bump request at bug #310033
Comment 1 Patrick Lauer gentoo-dev 2010-06-02 09:24:21 UTC
Ebuilds for 1.4.6 commited
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2010-06-03 12:40:53 UTC
Thanks for the report.

What is meant by "remote command injection" here? Is this arbitrary shell code i.e. "remote execution of arbitray code" or just commands for the tool itself?
Comment 3 Johan Bergström 2010-06-04 16:22:16 UTC
this command injection was only within beanstalkd, so users could for example do stuff in style with:
put <magic data that will enable execution> <insert beanstalkd command here>
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-15 20:45:19 UTC
closing without GLSA as this is not stable on any arch
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-15 21:11:38 UTC
CVE-2010-2060 (
  The put command functionality in beanstalkd 1.4.5 and earlier allows
  remote attackers to execute arbitrary Beanstalk commands via the body
  in a job that is too big, which is not properly handled by the
  dispatch_cmd function in prot.c.

Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-02 10:39:37 UTC
Reopening as bug 288103 has made 1.3 stable meanwhile.

Patrick, can 1.4.6 go stable?
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-02 10:39:51 UTC
Actually reopening.
Comment 8 Johan Bergström 2010-08-03 08:01:57 UTC
I think this version is suitable for stablereq
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2010-08-17 08:03:58 UTC
x86 stable
Comment 10 Markos Chandras (RETIRED) gentoo-dev 2010-08-17 17:19:10 UTC
amd64 done
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2010-11-19 18:36:11 UTC
GLSA Vote: Yes.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 17:07:46 UTC
GLSA request filed. Why did it get just get a serverity of B4?!
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-12 00:32:23 UTC
This issue was resolved and addressed in
 GLSA 201412-08 at
by GLSA coordinator Sean Amoss (ackle).