Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 29 Apr 2012 00:55:47 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Steve Schnepp <steve.schnepp@...il.com>
CC: 668667@...s.debian.org, oss-security@...ts.openwall.com,
        Helmut Grohne <helmut@...divi.de>,
        Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: Bug#668667: CVE Request (minor) -- Two Munin graphing
 framework flaws

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/27/2012 09:41 AM, Steve Schnepp wrote:
> On Wed, Apr 18, 2012 at 07:04, Kurt Seifried <kseifried@...hat.com>
> wrote:
>>> In addition munin parses parts of the query string. You are
>>> allowed to modify the size of the image. By choosing a path 
>>> "....png?size_x=20000&size_y=20000&uniquestuff" you can do the 
>>> same attack while simultaneously using a large image size. The
>>> raw image would be 381M (assuming 8bits/pixel) in this case. A
>>> png version will likely be smaller, say 4M? So now you have an 
>>> amplification of 4M/request. Note that this query can get a
>>> node into swapping, because rrdtool needs to create the whole
>>> image in main memory.

Please use CVE-2012-2147 for this issue (specifying the size = lots of
ram/storage space used up during image creation).

> 
>> Ouch.
> 
> I believe I fixed the bug in r4825, since : - url with query string
> aren't stored permanently anymore. - /tmp isn't used anymore per
> default (to fix #668536)
> 
> Could you confirm that ?
> 
> OTOH, the issue about very big imgs that gets the cgi into
> swapping isn't the same bug to be.
> 
> As Helmut noticed, there is already a size cap in rrd, so do I
> still need implement one in munin ? If yes, would you mind to file
> another bugreport (for RAM exhaustion) ?
> 
> Thx !
> 
> r4825: http://munin-monitoring.org/changeset/4825
> 
> -- Steve Schnepp http://blog.pwkf.org/


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPnOXzAAoJEBYNRVNeJnmTLncP/RHZ+19XnFy/mLRv+CqqwOSB
MEwn6nDbgN8+MP4uhq0542cOy0611VYpB8ftPJxWBPRWhLPuyYTtaxe87esYmLp6
JTO/OPonytkmWrBtD7Ta7amxiJAJFERjoZVuByiY+aZAX9WsVYiCpzlAl7E8NL5u
L11RuZU7vsnn7vSsRomlKcQ/eRMHouUKqwcVB8GAW0vh1V2l+bpAorBTZvI1/zPX
QcDGYWX7w7GsmUXAe4P6TcpS9lXJDzHpYTf9YzSMLaPDDevhcoR+hwSdnia6Uz22
mpH2mf/d2vCY0o1FKWwR7ZDB7I8zdUmRSx96Umo/UikJknbHEc4zwfSYW2TefZIv
G8cGMSYo35i/chJpf23iIcvKIvkQSs+1FCHep7OLuF6R1P0XnxXx2q78v3GjZC6C
u6gSia1jT672xo1qEMArEOzj3h9/tNLt0YdIR+vTENYo/qhZf5DidbYZvIjlA24b
Krbz/Fbcf8ayzctwuWvju4Kep602eM002FnYowXbN9rziz636yIWqJiQMaPMHYYo
A7Y9qJFCUcophkaY0WAc6E1doM/+yKYduIsDbenXFoSqS6NFyjmlTfNA7rbxeWC3
HvDnM1tG5YLd2PpzfmvMZfyH95ora0ecAiqAbZyn/On4ddgh9jEdwn3E0wt6N3N3
h9sOLiYT90i3gZibguID
=E8X5
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ