A denial of service flaw was found in the way Munin, a network-wide graphing framework honoured certain query string parameters when retrieving image files. If a remote attacker issued a repeated HTTP GET (image obtain) query with specially-crafted image dimensions being present in the query string, each time with the unique image file name, to be retrieved, being present in the query, it could lead to denial of service (excessive memory and storage use by the particular munin CGI script). References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670811#14 CVE assignment: [2] http://www.openwall.com/lists/oss-security/2012/04/29/2 Reproducers: a) common reproducer to obtain an existing image and store it into Munin's cache: printf 'GET /cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/vmstat-day.png?foo HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc localhost 80 b) reproducer for excessive memory / storage usage (previous part is same as in case a) ): ..png?size_x=20000&size_y=20000&uniquestuff
This issue affects the versions of the munin package, as shipped with Fedora release of 15 and 16. This issue affects the versions of the munin package, as shipped with Fedora EPEL 5 and Fedora EPEL 6.
Created munin tracking bugs for this issue Affects: fedora-all [bug 812893] Affects: epel-all [bug 812894]
Is this the same as the bugid mentioned in http://munin-monitoring.org/changeset/4825 ?
(In reply to comment #3) > Is this the same as the bugid mentioned in > http://munin-monitoring.org/changeset/4825 ? The http://munin-monitoring.org/changeset/4825 changeset seems to be fixing this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668667 thus /tmp filesystem exhaustion due to original reproducer: printf 'GET /cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/vmstat-day.png?foo HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc localhost 80 But as noted in Steve's OSS reply: http://www.openwall.com/lists/oss-security/2012/04/27/7 the memory usage should be different (yet another issue). Yes, r4825 once applied wouldn't allow to exhaust / fill in /tmp filesystem via CGI request for unique file names. But if I got the memory usage report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670811#14 correctly even after disabling caching of files, it should be possible to cause memory use DoS (that's why I didn't mention r4825 here [see Steve's comment: As Helmut noticed, there is already a size cap in rrd, so do I still need implement one in munin ? If yes, would you mind to file another bugreport (for RAM exhaustion) ? ]).
So, where are we here? We should apply changeset 4825 to fix this issue, but look for another issue related to the memory usage (which has not yet been filed or fixed?)?
This report matches a different branch than Fedora/EPEL ship. It matches: http://munin-monitoring.org/browser/trunk/master/_bin/munin-cgi-graph.in (Currently rev4853) Fedora/EPEL use: http://munin-monitoring.org/browser/tags/1.4.7/master/_bin/munin-cgi-graph.in (Currently rev3960) The reported URL says: Found in version munin/2.0~rc4-1 Fixed in version munin/2.0~rc6-1 Does this CVE apply to 1.4 ?