Bug 969296 (CVE-2013-2131) - CVE-2013-2131 rrdtool: crashes on format string exploit
Summary: CVE-2013-2131 rrdtool: crashes on format string exploit
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2013-2131
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 969310 969311
Blocks: 969308
TreeView+ depends on / blocked
 
Reported: 2013-05-31 07:02 UTC by Kurt Seifried
Modified: 2021-02-17 07:39 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-06-05 03:06:36 UTC
Embargoed:


Attachments (Terms of Use)
Proposed patch (1.83 KB, patch)
2013-06-03 14:01 UTC, Jaroslav Škarvada
no flags Details | Diff

Description Kurt Seifried 2013-05-31 07:02:35 UTC
Thomas Pollet (thomas.pollet) reports:

Also, the rrdtool python module crashes on format string exploit
$ python -c "import rrdtool
rrdtool.graph('/tmp/out.png','-f','%n%n')"
Segmentation fault

this module is used by zenoss to create graphs (zenoss users are able to
pass arguments to rrdtool).

Comment 1 Kurt Seifried 2013-05-31 07:46:57 UTC
Created rrdtool tracking bugs for this issue

Affects: fedora-all [bug 969310]

Comment 2 Kurt Seifried 2013-05-31 07:47:33 UTC
Created rrdtool tracking bugs for this issue

Affects: epel-5 [bug 969311]

Comment 3 Jaroslav Škarvada 2013-06-03 12:33:41 UTC
(In reply to Kurt Seifried from comment #0)
> Thomas Pollet (thomas.pollet) reports:
> 
> Also, the rrdtool python module crashes on format string exploit
> $ python -c "import rrdtool
> rrdtool.graph('/tmp/out.png','-f','%n%n')"
> Segmentation fault
> 
From my point of view this is not a bug. It is python binding for rrdtool library which uses printf functionality for graph formatting. This mean the caller is responsible for the correct format (the same as with the printf call).

However, I think we could add the format check into the library function as RFE, it shouldn't cost much. I will ask the upstream maintainer for his opinion.

> this module is used by zenoss to create graphs (zenoss users are able to
> pass arguments to rrdtool).
>
The zenoss shouldn't do that and if it do, it should parse and check the user input as user space application should always do.

Well, to be honest we should add the check to rrdtool application too :)
$ rrdtool graph /tmp/out.png -f '%n%n'
*** %n in writable segment detected ***
Aborted (core dumped)

Comment 4 Jaroslav Škarvada 2013-06-03 14:01:27 UTC
Created attachment 756318 [details]
Proposed patch

> However, I think we could add the format check into the library function as RFE, it shouldn't cost much. I will ask the upstream maintainer for his opinion.

Proposed patch.

Comment 5 Jaroslav Škarvada 2013-06-03 14:13:06 UTC
Upstream ticket:
https://github.com/oetiker/rrdtool-1.x/issues/396

Comment 6 Huzaifa S. Sidhpurwala 2013-06-05 02:59:28 UTC
Upstream documentation suggests that passing printf style arguments to 'rrdtool graph' is a feature of the the tool. As per:

http://oss.oetiker.ch/rrdtool/doc/rrdgraph.en.html

Therefore this issue cannot be considered as a security flaw.

Comment 7 Huzaifa S. Sidhpurwala 2013-06-05 03:06:03 UTC
Statement:

Red Hat Security Response Team does not consider this flaw to be a security issue, since this is a documented feature of the application.

Comment 8 Jaroslav Škarvada 2013-06-07 07:45:27 UTC
FYI the fix was merged upstream as #397, so it shouldn't be issue any more for user space applications that do not check the format.


Note You need to log in before you can comment on or make changes to this bug.