From ${URL} : I've identified a fd leakage when running a program via Monkey HTTPD - CGI plugin. By runninng `ls -lah /proc/<pid>/fd/` on the CGI program we can see: total 0 dr-x------ 2 felipe felipe 0 Jun 14 14:00 . dr-xr-xr-x 8 felipe felipe 0 Jun 14 14:00 .. lr-x------ 1 felipe felipe 64 Jun 14 14:00 0 -> pipe:[239545] l-wx------ 1 felipe felipe 64 Jun 14 14:00 1 -> pipe:[239546] lrwx------ 1 felipe felipe 64 Jun 14 14:00 10 -> anon_inode:[eventpoll] lr-x------ 1 felipe felipe 64 Jun 14 14:00 11 -> pipe:[242960] lrwx------ 1 felipe felipe 64 Jun 14 14:00 12 -> anon_inode:[eventpoll] lrwx------ 1 felipe felipe 64 Jun 14 14:00 13 -> anon_inode:[eventpoll] lrwx------ 1 felipe felipe 64 Jun 14 14:00 14 -> anon_inode:[eventpoll] lrwx------ 1 felipe felipe 64 Jun 14 14:00 15 -> anon_inode:[eventpoll] lrwx------ 1 felipe felipe 64 Jun 14 14:00 16 -> anon_inode:[eventpoll] lrwx------ 1 felipe felipe 64 Jun 14 14:00 17 -> anon_inode:[eventpoll] lrwx------ 1 felipe felipe 64 Jun 14 14:00 18 -> anon_inode:[eventpoll] lrwx------ 1 felipe felipe 64 Jun 14 14:00 19 -> anon_inode:[eventpoll] l-wx------ 1 felipe felipe 64 Jun 14 14:00 2 -> /dev/null lrwx------ 1 felipe felipe 64 Jun 14 14:00 3 -> socket:[240797] lrwx------ 1 felipe felipe 64 Jun 14 14:00 4 -> /home/felipe/audit/monkey/monkey/logs/monkey.pid.2001 lr-x------ 1 felipe felipe 64 Jun 14 14:00 5 -> pipe:[240798] l-wx------ 1 felipe felipe 64 Jun 14 14:00 6 -> pipe:[240798] lr-x------ 1 felipe felipe 64 Jun 14 14:00 7 -> pipe:[240799] l-wx------ 1 felipe felipe 64 Jun 14 14:00 8 -> pipe:[240799] lrwx------ 1 felipe felipe 64 Jun 14 14:00 9 -> socket:[242784] Hence a malicious program can take control of Monkey HTTP request response through a network socket related file descriptor, etc. Report ------ http://bugs.monkey-project.com/ticket/187 CREDITS ------- Felipe Pena @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
The CVE for this has gone nowhere. See http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2183 There are no references and I can't get at the upstream bug report anymore since they moved to github.
(In reply to Anthony Basile from comment #1) > The CVE for this has gone nowhere. See > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2183 > > There are no references and I can't get at the upstream bug report anymore > since they moved to github. Actually, I found it. Its fixed: https://github.com/monkey/monkey/issues/93
# Aaron Bauman <bman@gentoo.org> (1 Jul 2016) # Unpatched security vulnerabilities and dead upstream # per bugs #459274 and #473770 Removal in 30 days www-servers/monkeyd
(In reply to Aaron Bauman from comment #3) > # Aaron Bauman <bman@gentoo.org> (1 Jul 2016) > # Unpatched security vulnerabilities and dead upstream > # per bugs #459274 and #473770 Removal in 30 days > www-servers/monkeyd I have reverted this masking. You should not go around masking peoples packages without their acknowledgement expecially since this has been fixed.
In what version? We'll close our bugs as per to our usual process, thanks.
(In reply to Alex Legler from comment #5) > In what version? > > We'll close our bugs as per to our usual process, thanks. I was unable to reproduce. I tested back in Jan 28, 2014 which is when upstream commented that they assumed the issue was fixed. See the upstream bug as per comment #2.
(In reply to Anthony Basile from comment #6) > (In reply to Alex Legler from comment #5) > > In what version? > > > > We'll close our bugs as per to our usual process, thanks. > > I was unable to reproduce. I tested back in Jan 28, 2014 which is when > upstream commented that they assumed the issue was fixed. See the upstream > bug as per comment #2. Err ... no I tested when I saw the bug (memory fails) Probably mid summer 2014. I can't remember the details, but I recall setting up a long lived cgi which opened a bunch of files, checked /proc/<pid>/fd and didn't see them. I basically repeated what edisper did upstream with my own cgi.
(In reply to Anthony Basile from comment #7) to be clear, i was not able to reproduce the fd leakage for cgi programs for any versions in the tree.