Bug 480236 - (CVE-2009-0241) CVE-2009-0241 ganglia: gmetad buffer overflow
CVE-2009-0241 ganglia: gmetad buffer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=fedora,reported=20090115,publi...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-15 15:23 EST by Tomas Hoger
Modified: 2015-02-16 10:41 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-04-22 13:41:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
simplified patch to address buffer overflow in interactive port (1.33 KB, patch)
2009-01-26 06:35 EST, Arenas Belon, Carlo Marcelo
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Debian BTS 512365 None None None Never
Gentoo 255366 None None None Never

  None (edit)
Description Tomas Hoger 2009-01-15 15:23:49 EST
A stack-based buffer overflow was discovered in the gmetad server, part of the ganglia monitoring system.  Quoting original report:

  In process_path() a char element[256] is allocated to contain the pieces
  of the path as it is processed. If a request is made with a path element
  longer than that the strncpy call will write to invalid memory location,
  since there is no length checking performed on the input data to make sure
  it is less than the size of element.

Full report:
http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg04929.html

Upstream bug:
  http://bugzilla.ganglia.info/cgi-bin/bugzilla/show_bug.cgi?id=223

Upstream fix:
  http://ganglia.svn.sourceforge.net/viewvc/ganglia?view=rev&revision=1946
and status file note:
  http://ganglia.svn.sourceforge.net/viewvc/ganglia?view=rev&revision=1947
Comment 1 Kostas Georgiou 2009-01-15 16:28:57 EST
Unfortunately the fix introduces an off by one error so it still needs work.
Comment 2 Tomas Hoger 2009-01-16 05:04:31 EST
This overflow occurs in the strncpy call (which uses input length as a bound, not a destination buffer size) and it is detected by the FORTIFY_SOURCE.  Therefore, this can no be exploited for code execution, overflow is detected before data are written past the end of the buffer and program execution is terminated.  This is DoS-only flaw on Fedora or Red Hat HPC Solution.
Comment 4 Arenas Belon, Carlo Marcelo 2009-01-18 02:31:22 EST
could a CVE be requested by redhat's CNA to easy up tracking for all affected parties?, AFAIK there is a securityfocus BID already assigned in :

  http://www.securityfocus.com/bid/33299
Comment 5 Tomas Hoger 2009-01-19 03:09:25 EST
We do not assign ids for already public issues, to minimize the risk of duplicating Mitre's assignments.  Request for id was done couple of days ago via a list that is monitored by Mitre for new issues:
  http://www.openwall.com/lists/oss-security/2009/01/15/3
Comment 6 Tomas Hoger 2009-01-19 03:22:24 EST
(In reply to comment #1)
> Unfortunately the fix introduces an off by one error so it still needs work.

Current version of the patch, including your fix for off-by-one:
http://ganglia.svn.sourceforge.net/viewvc/ganglia/trunk/monitor-core/gmetad/server.c?r1=1233&r2=1950
Comment 7 Tomas Hoger 2009-01-20 03:24:48 EST
The patch was updated again upstream, fixing another off-by-one in the request[] buffer:
http://ganglia.svn.sourceforge.net/viewvc/ganglia?view=rev&revision=1953

Whole patch:
http://ganglia.svn.sourceforge.net/viewvc/ganglia/trunk/monitor-core/gmetad/server.c?r1=1233&r2=1953
Comment 8 Fedora Update System 2009-01-20 17:11:56 EST
ganglia-3.1.1-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/ganglia-3.1.1-3.fc10
Comment 9 Fedora Update System 2009-01-20 17:13:27 EST
ganglia-3.0.7-4.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/ganglia-3.0.7-4.fc9
Comment 10 Tomas Hoger 2009-01-21 09:14:34 EST
CVE-2009-0241:
Stack-based buffer overflow in the process_path function in
gmetad/server.c in Ganglia 3.1.1 allows remote attackers to cause a
denial of service (crash) via a request to the gmetad service with a
long pathname.
Comment 11 Arenas Belon, Carlo Marcelo 2009-01-26 06:35:11 EST
Created attachment 329974 [details]
simplified patch to address buffer overflow in interactive port

already being used by the updated ganglia packages for Gentoo and Debian and proposed upstream in :

  http://bugzilla.ganglia.info/cgi-bin/bugzilla/attachment.cgi?id=189&action=view

including hunks from the committed fixes in trunk and that are relevant for this reported problem.

applies cleanly for 3.0.6, 3.0.7 (-30 lines offset) as well as 3.1.1
Comment 12 Vincent Danen 2010-04-22 13:41:00 EDT
This has been corrected in upstream 3.1.2 (which is in current Fedora 11+), and this was also corrected in EPEL4 and 5 via:

* Tue Jan 20 2009 Kostas Georgiou <k.georgiou@imperial.ac.uk> - 3.0.7
- New upstream release
- [480236] fix for a buffer overflow and an off-by-one bug in gmetad

Note You need to log in before you can comment on or make changes to this bug.