Bug 480236 (CVE-2009-0241)
Summary: | CVE-2009-0241 ganglia: gmetad buffer overflow | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | carenas, k.georgiou, ocs2, plautrba, vdanen | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2010-04-22 17:41:00 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Tomas Hoger
2009-01-15 20:23:49 UTC
Unfortunately the fix introduces an off by one error so it still needs work. This overflow occurs in the strncpy call (which uses input length as a bound, not a destination buffer size) and it is detected by the FORTIFY_SOURCE. Therefore, this can no be exploited for code execution, overflow is detected before data are written past the end of the buffer and program execution is terminated. This is DoS-only flaw on Fedora or Red Hat HPC Solution. could a CVE be requested by redhat's CNA to easy up tracking for all affected parties?, AFAIK there is a securityfocus BID already assigned in : http://www.securityfocus.com/bid/33299 We do not assign ids for already public issues, to minimize the risk of duplicating Mitre's assignments. Request for id was done couple of days ago via a list that is monitored by Mitre for new issues: http://www.openwall.com/lists/oss-security/2009/01/15/3 (In reply to comment #1) > Unfortunately the fix introduces an off by one error so it still needs work. Current version of the patch, including your fix for off-by-one: http://ganglia.svn.sourceforge.net/viewvc/ganglia/trunk/monitor-core/gmetad/server.c?r1=1233&r2=1950 The patch was updated again upstream, fixing another off-by-one in the request[] buffer: http://ganglia.svn.sourceforge.net/viewvc/ganglia?view=rev&revision=1953 Whole patch: http://ganglia.svn.sourceforge.net/viewvc/ganglia/trunk/monitor-core/gmetad/server.c?r1=1233&r2=1953 ganglia-3.1.1-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ganglia-3.1.1-3.fc10 ganglia-3.0.7-4.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/ganglia-3.0.7-4.fc9 CVE-2009-0241: Stack-based buffer overflow in the process_path function in gmetad/server.c in Ganglia 3.1.1 allows remote attackers to cause a denial of service (crash) via a request to the gmetad service with a long pathname. Created attachment 329974 [details] simplified patch to address buffer overflow in interactive port already being used by the updated ganglia packages for Gentoo and Debian and proposed upstream in : http://bugzilla.ganglia.info/cgi-bin/bugzilla/attachment.cgi?id=189&action=view including hunks from the committed fixes in trunk and that are relevant for this reported problem. applies cleanly for 3.0.6, 3.0.7 (-30 lines offset) as well as 3.1.1 This has been corrected in upstream 3.1.2 (which is in current Fedora 11+), and this was also corrected in EPEL4 and 5 via: * Tue Jan 20 2009 Kostas Georgiou <k.georgiou.uk> - 3.0.7 - New upstream release - [480236] fix for a buffer overflow and an off-by-one bug in gmetad |