Thomas Pollet (thomas.pollet) reports: Also, the rrdtool python module crashes on format string exploit $ python -c "import rrdtool rrdtool.graph('/tmp/out.png','-f','%n%n')" Segmentation fault this module is used by zenoss to create graphs (zenoss users are able to pass arguments to rrdtool).
Created rrdtool tracking bugs for this issue Affects: fedora-all [bug 969310]
Created rrdtool tracking bugs for this issue Affects: epel-5 [bug 969311]
(In reply to Kurt Seifried from comment #0) > Thomas Pollet (thomas.pollet) reports: > > Also, the rrdtool python module crashes on format string exploit > $ python -c "import rrdtool > rrdtool.graph('/tmp/out.png','-f','%n%n')" > Segmentation fault > From my point of view this is not a bug. It is python binding for rrdtool library which uses printf functionality for graph formatting. This mean the caller is responsible for the correct format (the same as with the printf call). However, I think we could add the format check into the library function as RFE, it shouldn't cost much. I will ask the upstream maintainer for his opinion. > this module is used by zenoss to create graphs (zenoss users are able to > pass arguments to rrdtool). > The zenoss shouldn't do that and if it do, it should parse and check the user input as user space application should always do. Well, to be honest we should add the check to rrdtool application too :) $ rrdtool graph /tmp/out.png -f '%n%n' *** %n in writable segment detected *** Aborted (core dumped)
Created attachment 756318 [details] Proposed patch > However, I think we could add the format check into the library function as RFE, it shouldn't cost much. I will ask the upstream maintainer for his opinion. Proposed patch.
Upstream ticket: https://github.com/oetiker/rrdtool-1.x/issues/396
Upstream documentation suggests that passing printf style arguments to 'rrdtool graph' is a feature of the the tool. As per: http://oss.oetiker.ch/rrdtool/doc/rrdgraph.en.html Therefore this issue cannot be considered as a security flaw.
Statement: Red Hat Security Response Team does not consider this flaw to be a security issue, since this is a documented feature of the application.
FYI the fix was merged upstream as #397, so it shouldn't be issue any more for user space applications that do not check the format.