473770 – (CVE-2013-2183) www-servers/monkeyd: FD leakage for cgi program (CVE-2013-2183)

Bug 473770 (CVE-2013-2183) - www-servers/monkeyd: FD leakage for cgi program (CVE-2013-2183)

Summary: www-servers/monkeyd: FD leakage for cgi program (CVE-2013-2183)

Status:	RESOLVED INVALID

Alias:	CVE-2013-2183

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-06-19 05:21 UTC by Agostino Sarubbo
Modified:	2016-07-04 12:47 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-06-19 05:21:44 UTC

From ${URL} :

I've identified a fd leakage when running a program via Monkey HTTPD -
CGI plugin.

By runninng `ls -lah /proc/<pid>/fd/` on the CGI program we can see:

total 0
dr-x------ 2 felipe felipe 0 Jun 14 14:00 .
dr-xr-xr-x 8 felipe felipe 0 Jun 14 14:00 ..
lr-x------ 1 felipe felipe 64 Jun 14 14:00 0 -> pipe:[239545]
l-wx------ 1 felipe felipe 64 Jun 14 14:00 1 -> pipe:[239546]
lrwx------ 1 felipe felipe 64 Jun 14 14:00 10 -> anon_inode:[eventpoll]
lr-x------ 1 felipe felipe 64 Jun 14 14:00 11 -> pipe:[242960]
lrwx------ 1 felipe felipe 64 Jun 14 14:00 12 -> anon_inode:[eventpoll]
lrwx------ 1 felipe felipe 64 Jun 14 14:00 13 -> anon_inode:[eventpoll]
lrwx------ 1 felipe felipe 64 Jun 14 14:00 14 -> anon_inode:[eventpoll]
lrwx------ 1 felipe felipe 64 Jun 14 14:00 15 -> anon_inode:[eventpoll]
lrwx------ 1 felipe felipe 64 Jun 14 14:00 16 -> anon_inode:[eventpoll]
lrwx------ 1 felipe felipe 64 Jun 14 14:00 17 -> anon_inode:[eventpoll]
lrwx------ 1 felipe felipe 64 Jun 14 14:00 18 -> anon_inode:[eventpoll]
lrwx------ 1 felipe felipe 64 Jun 14 14:00 19 -> anon_inode:[eventpoll]
l-wx------ 1 felipe felipe 64 Jun 14 14:00 2 -> /dev/null
lrwx------ 1 felipe felipe 64 Jun 14 14:00 3 -> socket:[240797]
lrwx------ 1 felipe felipe 64 Jun 14 14:00 4 ->
/home/felipe/audit/monkey/monkey/logs/monkey.pid.2001
lr-x------ 1 felipe felipe 64 Jun 14 14:00 5 -> pipe:[240798]
l-wx------ 1 felipe felipe 64 Jun 14 14:00 6 -> pipe:[240798]
lr-x------ 1 felipe felipe 64 Jun 14 14:00 7 -> pipe:[240799]
l-wx------ 1 felipe felipe 64 Jun 14 14:00 8 -> pipe:[240799]
lrwx------ 1 felipe felipe 64 Jun 14 14:00 9 -> socket:[242784]

Hence a malicious program can take control of Monkey HTTP request response
through a network socket related file descriptor, etc.


Report
------
http://bugs.monkey-project.com/ticket/187


CREDITS
-------
Felipe Pena



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.

Comment 1 Anthony Basile gentoo-dev

2014-07-20 14:39:06 UTC

The CVE for this has gone nowhere.  See

    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2183

There are no references and I can't get at the upstream bug report anymore since they moved to github.

Comment 2 Anthony Basile gentoo-dev

2014-07-20 14:40:23 UTC

(In reply to Anthony Basile from comment #1)
> The CVE for this has gone nowhere.  See
> 
>     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2183
> 
> There are no references and I can't get at the upstream bug report anymore
> since they moved to github.

Actually, I found it.  Its fixed:

    https://github.com/monkey/monkey/issues/93

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2016-07-01 01:39:40 UTC

# Aaron Bauman <bman@gentoo.org> (1 Jul 2016)
# Unpatched security vulnerabilities and dead upstream
# per bugs #459274 and #473770  Removal in 30 days
www-servers/monkeyd

Comment 4 Anthony Basile gentoo-dev

2016-07-01 02:44:26 UTC

(In reply to Aaron Bauman from comment #3)
> # Aaron Bauman <bman@gentoo.org> (1 Jul 2016)
> # Unpatched security vulnerabilities and dead upstream
> # per bugs #459274 and #473770  Removal in 30 days
> www-servers/monkeyd

I have reverted this masking.  You should not go around masking peoples packages without their acknowledgement expecially since this has been fixed.

Comment 5 Alex Legler (RETIRED) archtester

2016-07-01 06:51:48 UTC

In what version?

We'll close our bugs as per to our usual process, thanks.

Comment 6 Anthony Basile gentoo-dev

2016-07-01 09:33:02 UTC

(In reply to Alex Legler from comment #5)
> In what version?
> 
> We'll close our bugs as per to our usual process, thanks.

I was unable to reproduce.  I tested back in Jan 28, 2014 which is when upstream commented that they assumed the issue was fixed.  See the upstream bug as per comment #2.

Comment 7 Anthony Basile gentoo-dev

2016-07-01 10:24:37 UTC

(In reply to Anthony Basile from comment #6)
> (In reply to Alex Legler from comment #5)
> > In what version?
> > 
> > We'll close our bugs as per to our usual process, thanks.
> 
> I was unable to reproduce.  I tested back in Jan 28, 2014 which is when
> upstream commented that they assumed the issue was fixed.  See the upstream
> bug as per comment #2.

Err ... no I tested when I saw the bug (memory fails)  Probably mid summer 2014.  I can't remember the details, but I recall setting up a long lived cgi which opened a bunch of files, checked /proc/<pid>/fd and didn't see them.  I basically repeated what edisper did upstream with my own cgi.

Comment 8 Anthony Basile gentoo-dev

2016-07-01 17:56:44 UTC

(In reply to Anthony Basile from comment #7)

to be clear, i was not able to reproduce the fd leakage for cgi programs for any versions in the tree.