Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Apr 2012 17:41:48 +0200
From: Steve Schnepp <>
To: Kurt Seifried <>,
Cc:, Helmut Grohne <>, 
	Jan Lieskovsky <>, "Steven M. Christey" <>
Subject: Re: Bug#668667: CVE Request (minor) -- Two Munin
 graphing framework flaws

On Wed, Apr 18, 2012 at 07:04, Kurt Seifried <> wrote:
>> In addition munin parses parts of the query string. You are allowed
>> to modify the size of the image. By choosing a path
>> "....png?size_x=20000&size_y=20000&uniquestuff" you can do the
>> same attack while simultaneously using a large image size. The raw
>> image would be 381M (assuming 8bits/pixel) in this case. A png
>> version will likely be smaller, say 4M? So now you have an
>> amplification of 4M/request. Note that this query can get a node
>> into swapping, because rrdtool needs to create the whole image in
>> main memory.

> Ouch.

I believe I fixed the bug in r4825, since :
- url with query string aren't stored permanently anymore.
- /tmp isn't used anymore per default (to fix #668536)

Could you confirm that ?

OTOH, the issue about very big imgs that gets the cgi into swapping
isn't the same bug to be.

As Helmut noticed, there is already a size cap in rrd, so do I still
need implement one in munin ? If yes, would you mind to file another
bugreport (for RAM exhaustion) ?

Thx !


Steve Schnepp

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ