Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 520220 (CVE-2014-5336) - <www-servers/monkeyd-1.5.3: denial of service (CVE-2014-5336)
Summary: <www-servers/monkeyd-1.5.3: denial of service (CVE-2014-5336)
Status: RESOLVED FIXED
Alias: CVE-2014-5336
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-19 06:08 UTC by Agostino Sarubbo
Modified: 2014-09-10 06:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-08-19 06:08:13 UTC
From ${URL} :

Description: When the File Descriptor Table (FDT) mechanism is enabled
(the default setting), any HTTP requests that result in a custom error
message being returned cause a file descriptor (to the custom error
message content file) to be leaked. An attacker can therefore
repeatedly send such requests so as to leak a large number of
descriptors. Eventually, the server will reach the OS-enforced
per-process limit on the amount of open file descriptors (as given by
`ulimit -n`). From this point on, and until the server is restarted,
any request that requires the opening of another file in order to be
handled will fail; even valid requests from other parties for normal
files will fail with an HTTP 403 error. This is a simple
denial-of-service attack.
Workaround: Do not use custom error messages, or disable the File
Descriptor Table by using the "FDT off" directive in the server
configuration file (see
http://monkey-project.com/documentation/1.5/configuration/server.html#fdt).
Affected versions: <= v1.5.2
Fixed version: v1.5.3
Fix: https://github.com/monkey/monkey/commit/b2d0e6f92310bb14a15aa2f8e96e1fb5379776dd
Release notes: http://monkey-project.com/Announcements/v1.5.3
Reported by: Matthew Daley


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Anthony Basile gentoo-dev 2014-08-19 20:36:41 UTC
Its ready:

  TARGET="amd64 arm ppc ppc64 x86"
Comment 2 Agostino Sarubbo gentoo-dev 2014-08-20 15:50:09 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-08-20 16:00:08 UTC
x86 stable
Comment 4 Anthony Basile gentoo-dev 2014-08-21 01:25:01 UTC
Stable on arm, ppc and ppc64.  We're done stabilizing and I've removed all vulnerable versions from the tree.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-08-25 16:23:47 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-25 16:28:21 UTC
GLSA Vote: No
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-09-10 06:44:25 UTC
CVE-2014-5336 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5336):
  Monkey HTTP Server before 1.5.3, when the File Descriptor Table (FDT) is
  enabled and custom error messages are set, allows remote attackers to cause
  a denial of service (file descriptor consumption) via an HTTP request that
  triggers an error message.