Bug 969296 - (CVE-2013-2131) CVE-2013-2131 rrdtool: crashes on format string exploit
CVE-2013-2131 rrdtool: crashes on format string exploit
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130418,repor...
: Security
Depends On: 969310 969311
Blocks: 969308
  Show dependency treegraph
 
Reported: 2013-05-31 03:02 EDT by Kurt Seifried
Modified: 2015-07-31 03:06 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-04 23:06:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch (1.83 KB, patch)
2013-06-03 10:01 EDT, Jaroslav Škarvada
no flags Details | Diff

  None (edit)
Description Kurt Seifried 2013-05-31 03:02:35 EDT
Thomas Pollet (thomas.pollet@gmail.com) reports:

Also, the rrdtool python module crashes on format string exploit
$ python -c "import rrdtool
rrdtool.graph('/tmp/out.png','-f','%n%n')"
Segmentation fault

this module is used by zenoss to create graphs (zenoss users are able to
pass arguments to rrdtool).
Comment 1 Kurt Seifried 2013-05-31 03:46:57 EDT
Created rrdtool tracking bugs for this issue

Affects: fedora-all [bug 969310]
Comment 2 Kurt Seifried 2013-05-31 03:47:33 EDT
Created rrdtool tracking bugs for this issue

Affects: epel-5 [bug 969311]
Comment 3 Jaroslav Škarvada 2013-06-03 08:33:41 EDT
(In reply to Kurt Seifried from comment #0)
> Thomas Pollet (thomas.pollet@gmail.com) reports:
> 
> Also, the rrdtool python module crashes on format string exploit
> $ python -c "import rrdtool
> rrdtool.graph('/tmp/out.png','-f','%n%n')"
> Segmentation fault
> 
From my point of view this is not a bug. It is python binding for rrdtool library which uses printf functionality for graph formatting. This mean the caller is responsible for the correct format (the same as with the printf call).

However, I think we could add the format check into the library function as RFE, it shouldn't cost much. I will ask the upstream maintainer for his opinion.

> this module is used by zenoss to create graphs (zenoss users are able to
> pass arguments to rrdtool).
>
The zenoss shouldn't do that and if it do, it should parse and check the user input as user space application should always do.

Well, to be honest we should add the check to rrdtool application too :)
$ rrdtool graph /tmp/out.png -f '%n%n'
*** %n in writable segment detected ***
Aborted (core dumped)
Comment 4 Jaroslav Škarvada 2013-06-03 10:01:27 EDT
Created attachment 756318 [details]
Proposed patch

> However, I think we could add the format check into the library function as RFE, it shouldn't cost much. I will ask the upstream maintainer for his opinion.

Proposed patch.
Comment 5 Jaroslav Škarvada 2013-06-03 10:13:06 EDT
Upstream ticket:
https://github.com/oetiker/rrdtool-1.x/issues/396
Comment 6 Huzaifa S. Sidhpurwala 2013-06-04 22:59:28 EDT
Upstream documentation suggests that passing printf style arguments to 'rrdtool graph' is a feature of the the tool. As per:

http://oss.oetiker.ch/rrdtool/doc/rrdgraph.en.html

Therefore this issue cannot be considered as a security flaw.
Comment 7 Huzaifa S. Sidhpurwala 2013-06-04 23:06:03 EDT
Statement:

Red Hat Security Response Team does not consider this flaw to be a security issue, since this is a documented feature of the application.
Comment 8 Jaroslav Škarvada 2013-06-07 03:45:27 EDT
FYI the fix was merged upstream as #397, so it shouldn't be issue any more for user space applications that do not check the format.

Note You need to log in before you can comment on or make changes to this bug.