oss-sec mailing list archives
Re: Bug#668667: CVE Request (minor) -- Two Munin graphing framework flaws
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 29 Apr 2012 00:55:47 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/27/2012 09:41 AM, Steve Schnepp wrote:
On Wed, Apr 18, 2012 at 07:04, Kurt Seifried <kseifried () redhat com> wrote:In addition munin parses parts of the query string. You are allowed to modify the size of the image. By choosing a path "....png?size_x=20000&size_y=20000&uniquestuff" you can do the same attack while simultaneously using a large image size. The raw image would be 381M (assuming 8bits/pixel) in this case. A png version will likely be smaller, say 4M? So now you have an amplification of 4M/request. Note that this query can get a node into swapping, because rrdtool needs to create the whole image in main memory.
Please use CVE-2012-2147 for this issue (specifying the size = lots of ram/storage space used up during image creation).
Ouch.I believe I fixed the bug in r4825, since : - url with query string aren't stored permanently anymore. - /tmp isn't used anymore per default (to fix #668536) Could you confirm that ? OTOH, the issue about very big imgs that gets the cgi into swapping isn't the same bug to be. As Helmut noticed, there is already a size cap in rrd, so do I still need implement one in munin ? If yes, would you mind to file another bugreport (for RAM exhaustion) ? Thx ! r4825: http://munin-monitoring.org/changeset/4825 -- Steve Schnepp http://blog.pwkf.org/
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPnOXzAAoJEBYNRVNeJnmTLncP/RHZ+19XnFy/mLRv+CqqwOSB MEwn6nDbgN8+MP4uhq0542cOy0611VYpB8ftPJxWBPRWhLPuyYTtaxe87esYmLp6 JTO/OPonytkmWrBtD7Ta7amxiJAJFERjoZVuByiY+aZAX9WsVYiCpzlAl7E8NL5u L11RuZU7vsnn7vSsRomlKcQ/eRMHouUKqwcVB8GAW0vh1V2l+bpAorBTZvI1/zPX QcDGYWX7w7GsmUXAe4P6TcpS9lXJDzHpYTf9YzSMLaPDDevhcoR+hwSdnia6Uz22 mpH2mf/d2vCY0o1FKWwR7ZDB7I8zdUmRSx96Umo/UikJknbHEc4zwfSYW2TefZIv G8cGMSYo35i/chJpf23iIcvKIvkQSs+1FCHep7OLuF6R1P0XnxXx2q78v3GjZC6C u6gSia1jT672xo1qEMArEOzj3h9/tNLt0YdIR+vTENYo/qhZf5DidbYZvIjlA24b Krbz/Fbcf8ayzctwuWvju4Kep602eM002FnYowXbN9rziz636yIWqJiQMaPMHYYo A7Y9qJFCUcophkaY0WAc6E1doM/+yKYduIsDbenXFoSqS6NFyjmlTfNA7rbxeWC3 HvDnM1tG5YLd2PpzfmvMZfyH95ora0ecAiqAbZyn/On4ddgh9jEdwn3E0wt6N3N3 h9sOLiYT90i3gZibguID =E8X5 -----END PGP SIGNATURE-----
Current thread:
- CVE Request (minor) -- Two Munin graphing framework flaws Jan Lieskovsky (Apr 16)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 16)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Helmut Grohne (Apr 16)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 17)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Helmut Grohne (Apr 17)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 18)
- Re: Bug#668667: CVE Request (minor) -- Two Munin graphing framework flaws Kenyon Ralph (Apr 18)
- Re: [Packaging] Bug#668667: [oss-security] CVE Request (minor) -- Two Munin graphing framework flaws Holger Levsen (Apr 18)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Helmut Grohne (Apr 16)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 16)
- Re: Bug#668667: CVE Request (minor) -- Two Munin graphing framework flaws Steve Schnepp (Apr 27)
- Re: Bug#668667: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 28)