Red Hat Bugzilla – Bug 480236
CVE-2009-0241 ganglia: gmetad buffer overflow
Last modified: 2015-02-16 10:41:16 EST
A stack-based buffer overflow was discovered in the gmetad server, part of the ganglia monitoring system. Quoting original report:
In process_path() a char element is allocated to contain the pieces
of the path as it is processed. If a request is made with a path element
longer than that the strncpy call will write to invalid memory location,
since there is no length checking performed on the input data to make sure
it is less than the size of element.
and status file note:
Unfortunately the fix introduces an off by one error so it still needs work.
This overflow occurs in the strncpy call (which uses input length as a bound, not a destination buffer size) and it is detected by the FORTIFY_SOURCE. Therefore, this can no be exploited for code execution, overflow is detected before data are written past the end of the buffer and program execution is terminated. This is DoS-only flaw on Fedora or Red Hat HPC Solution.
could a CVE be requested by redhat's CNA to easy up tracking for all affected parties?, AFAIK there is a securityfocus BID already assigned in :
We do not assign ids for already public issues, to minimize the risk of duplicating Mitre's assignments. Request for id was done couple of days ago via a list that is monitored by Mitre for new issues:
(In reply to comment #1)
> Unfortunately the fix introduces an off by one error so it still needs work.
Current version of the patch, including your fix for off-by-one:
The patch was updated again upstream, fixing another off-by-one in the request buffer:
ganglia-3.1.1-3.fc10 has been submitted as an update for Fedora 10.
ganglia-3.0.7-4.fc9 has been submitted as an update for Fedora 9.
Stack-based buffer overflow in the process_path function in
gmetad/server.c in Ganglia 3.1.1 allows remote attackers to cause a
denial of service (crash) via a request to the gmetad service with a
Created attachment 329974 [details]
simplified patch to address buffer overflow in interactive port
already being used by the updated ganglia packages for Gentoo and Debian and proposed upstream in :
including hunks from the committed fixes in trunk and that are relevant for this reported problem.
applies cleanly for 3.0.6, 3.0.7 (-30 lines offset) as well as 3.1.1
This has been corrected in upstream 3.1.2 (which is in current Fedora 11+), and this was also corrected in EPEL4 and 5 via:
* Tue Jan 20 2009 Kostas Georgiou <firstname.lastname@example.org> - 3.0.7
- New upstream release
-  fix for a buffer overflow and an off-by-one bug in gmetad