Launchpad has imported 12 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=480236.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2009-01-15T20:23:49+00:00 Tomas wrote: A stack-based buffer overflow was discovered in the gmetad server, part of the ganglia monitoring system. Quoting original report: In process_path() a char element[256] is allocated to contain the pieces of the path as it is processed. If a request is made with a path element longer than that the strncpy call will write to invalid memory location, since there is no length checking performed on the input data to make sure it is less than the size of element. Full report: http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg04929.html Upstream bug: http://bugzilla.ganglia.info/cgi-bin/bugzilla/show_bug.cgi?id=223 Upstream fix: http://ganglia.svn.sourceforge.net/viewvc/ganglia?view=rev&revision=1946 and status file note: http://ganglia.svn.sourceforge.net/viewvc/ganglia?view=rev&revision=1947 Reply at: https://bugs.launchpad.net/ubuntu/+source/ganglia-monitor- core/+bug/319111/comments/0 ------------------------------------------------------------------------ On 2009-01-15T21:28:57+00:00 Kostas wrote: Unfortunately the fix introduces an off by one error so it still needs work. Reply at: https://bugs.launchpad.net/ubuntu/+source/ganglia-monitor- core/+bug/319111/comments/1 ------------------------------------------------------------------------ On 2009-01-16T10:04:31+00:00 Tomas wrote: This overflow occurs in the strncpy call (which uses input length as a bound, not a destination buffer size) and it is detected by the FORTIFY_SOURCE. Therefore, this can no be exploited for code execution, overflow is detected before data are written past the end of the buffer and program execution is terminated. This is DoS-only flaw on Fedora or Red Hat HPC Solution. Reply at: https://bugs.launchpad.net/ubuntu/+source/ganglia-monitor- core/+bug/319111/comments/2 ------------------------------------------------------------------------ On 2009-01-18T07:31:22+00:00 Arenas wrote: could a CVE be requested by redhat's CNA to easy up tracking for all affected parties?, AFAIK there is a securityfocus BID already assigned in : http://www.securityfocus.com/bid/33299 Reply at: https://bugs.launchpad.net/ubuntu/+source/ganglia-monitor- core/+bug/319111/comments/3 ------------------------------------------------------------------------ On 2009-01-19T08:09:25+00:00 Tomas wrote: We do not assign ids for already public issues, to minimize the risk of duplicating Mitre's assignments. Request for id was done couple of days ago via a list that is monitored by Mitre for new issues: http://www.openwall.com/lists/oss-security/2009/01/15/3 Reply at: https://bugs.launchpad.net/ubuntu/+source/ganglia-monitor- core/+bug/319111/comments/4 ------------------------------------------------------------------------ On 2009-01-19T08:22:24+00:00 Tomas wrote: (In reply to comment #1) > Unfortunately the fix introduces an off by one error so it still needs work. Current version of the patch, including your fix for off-by-one: http://ganglia.svn.sourceforge.net/viewvc/ganglia/trunk/monitor-core/gmetad/server.c?r1=1233&r2=1950 Reply at: https://bugs.launchpad.net/ubuntu/+source/ganglia-monitor- core/+bug/319111/comments/5 ------------------------------------------------------------------------ On 2009-01-20T08:24:48+00:00 Tomas wrote: The patch was updated again upstream, fixing another off-by-one in the request[] buffer: http://ganglia.svn.sourceforge.net/viewvc/ganglia?view=rev&revision=1953 Whole patch: http://ganglia.svn.sourceforge.net/viewvc/ganglia/trunk/monitor-core/gmetad/server.c?r1=1233&r2=1953 Reply at: https://bugs.launchpad.net/ubuntu/+source/ganglia-monitor- core/+bug/319111/comments/7 ------------------------------------------------------------------------ On 2009-01-20T22:11:56+00:00 Fedora wrote: ganglia-3.1.1-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ganglia-3.1.1-3.fc10 Reply at: https://bugs.launchpad.net/ubuntu/+source/ganglia-monitor- core/+bug/319111/comments/8 ------------------------------------------------------------------------ On 2009-01-20T22:13:27+00:00 Fedora wrote: ganglia-3.0.7-4.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/ganglia-3.0.7-4.fc9 Reply at: https://bugs.launchpad.net/ubuntu/+source/ganglia-monitor- core/+bug/319111/comments/9 ------------------------------------------------------------------------ On 2009-01-21T14:14:34+00:00 Tomas wrote: CVE-2009-0241: Stack-based buffer overflow in the process_path function in gmetad/server.c in Ganglia 3.1.1 allows remote attackers to cause a denial of service (crash) via a request to the gmetad service with a long pathname. Reply at: https://bugs.launchpad.net/ubuntu/+source/ganglia-monitor- core/+bug/319111/comments/10 ------------------------------------------------------------------------ On 2009-01-26T11:35:11+00:00 Arenas wrote: Created attachment 329974 simplified patch to address buffer overflow in interactive port already being used by the updated ganglia packages for Gentoo and Debian and proposed upstream in : http://bugzilla.ganglia.info/cgi- bin/bugzilla/attachment.cgi?id=189&action=view including hunks from the committed fixes in trunk and that are relevant for this reported problem. applies cleanly for 3.0.6, 3.0.7 (-30 lines offset) as well as 3.1.1 Reply at: https://bugs.launchpad.net/ubuntu/+source/ganglia-monitor- core/+bug/319111/comments/11 ------------------------------------------------------------------------ On 2010-04-22T17:41:00+00:00 Vincent wrote: This has been corrected in upstream 3.1.2 (which is in current Fedora 11+), and this was also corrected in EPEL4 and 5 via: * Tue Jan 20 2009 Kostas Georgiou <k.georg...@imperial.ac.uk> - 3.0.7 - New upstream release - [480236] fix for a buffer overflow and an off-by-one bug in gmetad Reply at: https://bugs.launchpad.net/ubuntu/+source/ganglia-monitor- core/+bug/319111/comments/12 ** Changed in: ganglia (Fedora) Status: Confirmed => Fix Released ** Changed in: ganglia (Fedora) Importance: Unknown => Medium ** Bug watch added: bugzilla.ganglia.info/cgi-bin/bugzilla/ #223 http://bugzilla.ganglia.info/cgi-bin/bugzilla/show_bug.cgi?id=223 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/319111 Title: gmetad: stack based buffer overflow in interactive port To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ganglia-monitor-core/+bug/319111/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
