Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 428776 (CVE-2012-3448) - <sys-cluster/ganglia-3.3.7: Unspecified PHP Code Execution Vulnerability (CVE-2012-3448)
Summary: <sys-cluster/ganglia-3.3.7: Unspecified PHP Code Execution Vulnerability (CVE...
Status: RESOLVED FIXED
Alias: CVE-2012-3448
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/50047/
Whiteboard: B2 [glsa]
Keywords:
: 433048 (view as bug list)
Depends on:
Blocks:
 
Reported: 2012-07-31 09:01 UTC by Agostino Sarubbo
Modified: 2014-12-12 00:43 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-07-31 09:01:52 UTC
Description
A vulnerability has been reported in Ganglia, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an unspecified error and can be exploited to execute arbitrary PHP code.

The vulnerability is reported in versions 3.1.7 through 3.5.0. Other versions may also be affected.


Solution
Update to version 3.5.1.
Comment 1 Sean Amoss gentoo-dev Security 2012-08-02 01:58:52 UTC
CVE assignment per http://www.openwall.com/lists/oss-security/2012/08/02/1
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-08-07 01:02:36 UTC
CVE-2012-3448 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3448):
  Unspecified vulnerability in Ganglia Web before 3.5.1 allows remote
  attackers to execute arbitrary PHP code via unknown attack vectors.
Comment 3 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-09-02 19:48:45 UTC
*** Bug 433048 has been marked as a duplicate of this bug. ***
Comment 4 Justin Bronder (RETIRED) gentoo-dev 2012-09-04 03:39:09 UTC
*ganglia-web-3.5.2 (04 Sep 2012)

  04 Sep 2012; Justin Bronder <jsbronder@gentoo.org> +ganglia-web-3.5.2.ebuild,
  +metadata.xml:
  Add sys-cluster/ganglia-web to match upstream development. Resolves #428776
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-09-04 16:07:29 UTC
(In reply to comment #4)
> *ganglia-web-3.5.2 (04 Sep 2012)
> 
>   04 Sep 2012; Justin Bronder <jsbronder@gentoo.org>
> +ganglia-web-3.5.2.ebuild,
>   +metadata.xml:
>   Add sys-cluster/ganglia-web to match upstream development. Resolves #428776

Thanks, Justin. So ganglia-web replaces ganglia? And are we ready to stabilize 3.5.2?
Comment 6 Justin Bronder (RETIRED) gentoo-dev 2012-09-04 17:14:47 UTC
(In reply to comment #5)
> (In reply to comment #4)
> > *ganglia-web-3.5.2 (04 Sep 2012)
> > 
> >   04 Sep 2012; Justin Bronder <jsbronder@gentoo.org>
> > +ganglia-web-3.5.2.ebuild,
> >   +metadata.xml:
> >   Add sys-cluster/ganglia-web to match upstream development. Resolves #428776
> 
> Thanks, Justin. So ganglia-web replaces ganglia? And are we ready to
> stabilize 3.5.2?

ganglia-web replaces the web component of ganglia which had this vulnerability.  I'd like to let the two sit in the tree for a couple of weeks just to get some usage before going for stable as this is a decent sized change to how things were being packaged.

However, if the security team thinks this vulnerability should be addressed now, then I have no problem with going ahead with stabilization.
Comment 7 Justin Bronder (RETIRED) gentoo-dev 2012-09-17 13:01:49 UTC
Been a couple of weeks with no bugs, please feel free to go forward with stabilization.
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-09-17 14:34:47 UTC
Targets:
=sys-cluster/ganglia-3.4.0 amd64 ppc x86
=sys-cluster/ganglia-web-3.5.2 amd64 ppc x86
Comment 9 Andreas Schürch gentoo-dev 2012-09-19 05:26:17 UTC
(In reply to comment #8)
> Targets:
> =sys-cluster/ganglia-3.4.0 amd64 ppc x86

There is no ganglia-3.4.0 in the tree up to now!?
# ls /usr/portage/sys-cluster/ganglia
ChangeLog  Manifest  files  ganglia-3.2.0.ebuild  ganglia-3.3.7.ebuild  metadata.xml
Comment 10 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-09-19 05:47:12 UTC
(In reply to comment #9)
> (In reply to comment #8)
> > Targets:
> > =sys-cluster/ganglia-3.4.0 amd64 ppc x86
> 
> There is no ganglia-3.4.0 in the tree up to now!?
> # ls /usr/portage/sys-cluster/ganglia
> ChangeLog  Manifest  files  ganglia-3.2.0.ebuild  ganglia-3.3.7.ebuild 
> metadata.xml

You're right. Sorry for that I've looked in a wrong place.
Correct targets:
=sys-cluster/ganglia-3.3.7 amd64 ppc x86
=sys-cluster/ganglia-web-3.5.2 amd64 ppc x86
Comment 11 Andreas Schürch gentoo-dev 2012-09-19 13:01:38 UTC
x86 done.
Comment 12 Vicente Olivert Riera (RETIRED) gentoo-dev 2012-09-21 21:02:43 UTC
=sys-cluster/ganglia-3.3.7 tested on amd64.
A part of bug 435784, everything looks fine.
Comment 13 Vicente Olivert Riera (RETIRED) gentoo-dev 2012-09-21 21:09:33 UTC
=sys-cluster/ganglia-web-3.5.2 tested amd64.
Comment 14 Agostino Sarubbo gentoo-dev 2012-09-22 12:13:33 UTC
amd64 stable
Comment 15 Anthony Basile gentoo-dev 2012-09-22 13:49:40 UTC
stable ppc
Comment 16 Sean Amoss gentoo-dev Security 2012-09-22 18:29:14 UTC
Thanks, everyone.

Filing a new GLSA request.
Comment 17 Sean Amoss gentoo-dev Security 2014-12-12 00:43:42 UTC
This issue was resolved and addressed in
 GLSA 201412-10 at http://security.gentoo.org/glsa/glsa-201412-10.xml
by GLSA coordinator Sean Amoss (ackle).