Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4F9CE5F3.4090906@redhat.com>
Date: Sun, 29 Apr 2012 00:55:47 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Steve Schnepp <steve.schnepp@...il.com>
CC: 668667@...s.debian.org, oss-security@...ts.openwall.com,
        Helmut Grohne <helmut@...divi.de>,
        Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: Bug#668667: CVE Request (minor) -- Two Munin graphing
 framework flaws

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/27/2012 09:41 AM, Steve Schnepp wrote:
> On Wed, Apr 18, 2012 at 07:04, Kurt Seifried <kseifried@...hat.com>
> wrote:
>>> In addition munin parses parts of the query string. You are
>>> allowed to modify the size of the image. By choosing a path 
>>> "....png?size_x=20000&size_y=20000&uniquestuff" you can do the 
>>> same attack while simultaneously using a large image size. The
>>> raw image would be 381M (assuming 8bits/pixel) in this case. A
>>> png version will likely be smaller, say 4M? So now you have an 
>>> amplification of 4M/request. Note that this query can get a
>>> node into swapping, because rrdtool needs to create the whole
>>> image in main memory.

Please use CVE-2012-2147 for this issue (specifying the size = lots of
ram/storage space used up during image creation).

> 
>> Ouch.
> 
> I believe I fixed the bug in r4825, since : - url with query string
> aren't stored permanently anymore. - /tmp isn't used anymore per
> default (to fix #668536)
> 
> Could you confirm that ?
> 
> OTOH, the issue about very big imgs that gets the cgi into
> swapping isn't the same bug to be.
> 
> As Helmut noticed, there is already a size cap in rrd, so do I
> still need implement one in munin ? If yes, would you mind to file
> another bugreport (for RAM exhaustion) ?
> 
> Thx !
> 
> r4825: http://munin-monitoring.org/changeset/4825
> 
> -- Steve Schnepp http://blog.pwkf.org/


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPnOXzAAoJEBYNRVNeJnmTLncP/RHZ+19XnFy/mLRv+CqqwOSB
MEwn6nDbgN8+MP4uhq0542cOy0611VYpB8ftPJxWBPRWhLPuyYTtaxe87esYmLp6
JTO/OPonytkmWrBtD7Ta7amxiJAJFERjoZVuByiY+aZAX9WsVYiCpzlAl7E8NL5u
L11RuZU7vsnn7vSsRomlKcQ/eRMHouUKqwcVB8GAW0vh1V2l+bpAorBTZvI1/zPX
QcDGYWX7w7GsmUXAe4P6TcpS9lXJDzHpYTf9YzSMLaPDDevhcoR+hwSdnia6Uz22
mpH2mf/d2vCY0o1FKWwR7ZDB7I8zdUmRSx96Umo/UikJknbHEc4zwfSYW2TefZIv
G8cGMSYo35i/chJpf23iIcvKIvkQSs+1FCHep7OLuF6R1P0XnxXx2q78v3GjZC6C
u6gSia1jT672xo1qEMArEOzj3h9/tNLt0YdIR+vTENYo/qhZf5DidbYZvIjlA24b
Krbz/Fbcf8ayzctwuWvju4Kep602eM002FnYowXbN9rziz636yIWqJiQMaPMHYYo
A7Y9qJFCUcophkaY0WAc6E1doM/+yKYduIsDbenXFoSqS6NFyjmlTfNA7rbxeWC3
HvDnM1tG5YLd2PpzfmvMZfyH95ora0ecAiqAbZyn/On4ddgh9jEdwn3E0wt6N3N3
h9sOLiYT90i3gZibguID
=E8X5
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.