oss-sec mailing list archives

Re: Bug#668667: CVE Request (minor) -- Two Munin graphing framework flaws

From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 29 Apr 2012 00:55:47 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/27/2012 09:41 AM, Steve Schnepp wrote:

On Wed, Apr 18, 2012 at 07:04, Kurt Seifried <kseifried () redhat com>
wrote:

In addition munin parses parts of the query string. You are
allowed to modify the size of the image. By choosing a path 
"....png?size_x=20000&size_y=20000&uniquestuff" you can do the 
same attack while simultaneously using a large image size. The
raw image would be 381M (assuming 8bits/pixel) in this case. A
png version will likely be smaller, say 4M? So now you have an 
amplification of 4M/request. Note that this query can get a
node into swapping, because rrdtool needs to create the whole
image in main memory.


Please use CVE-2012-2147 for this issue (specifying the size = lots of
ram/storage space used up during image creation).

Ouch.


I believe I fixed the bug in r4825, since : - url with query string
aren't stored permanently anymore. - /tmp isn't used anymore per
default (to fix #668536)

Could you confirm that ?

OTOH, the issue about very big imgs that gets the cgi into
swapping isn't the same bug to be.

As Helmut noticed, there is already a size cap in rrd, so do I
still need implement one in munin ? If yes, would you mind to file
another bugreport (for RAM exhaustion) ?

Thx !

r4825: http://munin-monitoring.org/changeset/4825

-- Steve Schnepp http://blog.pwkf.org/



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPnOXzAAoJEBYNRVNeJnmTLncP/RHZ+19XnFy/mLRv+CqqwOSB
MEwn6nDbgN8+MP4uhq0542cOy0611VYpB8ftPJxWBPRWhLPuyYTtaxe87esYmLp6
JTO/OPonytkmWrBtD7Ta7amxiJAJFERjoZVuByiY+aZAX9WsVYiCpzlAl7E8NL5u
L11RuZU7vsnn7vSsRomlKcQ/eRMHouUKqwcVB8GAW0vh1V2l+bpAorBTZvI1/zPX
QcDGYWX7w7GsmUXAe4P6TcpS9lXJDzHpYTf9YzSMLaPDDevhcoR+hwSdnia6Uz22
mpH2mf/d2vCY0o1FKWwR7ZDB7I8zdUmRSx96Umo/UikJknbHEc4zwfSYW2TefZIv
G8cGMSYo35i/chJpf23iIcvKIvkQSs+1FCHep7OLuF6R1P0XnxXx2q78v3GjZC6C
u6gSia1jT672xo1qEMArEOzj3h9/tNLt0YdIR+vTENYo/qhZf5DidbYZvIjlA24b
Krbz/Fbcf8ayzctwuWvju4Kep602eM002FnYowXbN9rziz636yIWqJiQMaPMHYYo
A7Y9qJFCUcophkaY0WAc6E1doM/+yKYduIsDbenXFoSqS6NFyjmlTfNA7rbxeWC3
HvDnM1tG5YLd2PpzfmvMZfyH95ora0ecAiqAbZyn/On4ddgh9jEdwn3E0wt6N3N3
h9sOLiYT90i3gZibguID
=E8X5
-----END PGP SIGNATURE-----

Current thread:

CVE Request (minor) -- Two Munin graphing framework flaws Jan Lieskovsky (Apr 16)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 16)
  - Re: CVE Request (minor) -- Two Munin graphing framework flaws Helmut Grohne (Apr 16)
    - Re: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 17)
    - Re: CVE Request (minor) -- Two Munin graphing framework flaws Helmut Grohne (Apr 17)
    - Re: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 18)
    - Re: Bug#668667: CVE Request (minor) -- Two Munin graphing framework flaws Kenyon Ralph (Apr 18)
    - Re: [Packaging] Bug#668667: [oss-security] CVE Request (minor) -- Two Munin graphing framework flaws Holger Levsen (Apr 18)
    - Re: Bug#668667: CVE Request (minor) -- Two Munin graphing framework flaws Steve Schnepp (Apr 27)
    - Re: Bug#668667: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 28)