Bug 759910 (CVE-2012-2147)

Summary: VUL-1: CVE-2012-2147: munin: remote denial of service by large image sizes
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Jordi Massaguer <jmassaguerpla>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: meissner, security-team, wolfgang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: . maint:planned:update
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2012-04-30 13:25:29 UTC
is public, via oss-sec

http://www.openwall.com/lists/oss-security/2012/04/29/2

CVE-2012-2147

Statistics scripts in munin can be passed the desired imagesize by remote
attackers, allowing to pass very huge image sizes into the process, which
effectively could run the machine out of memory.

also references:
https://bugzilla.redhat.com/show_bug.cgi?id=817488
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670811#14

Reproducers:

a) common reproducer to obtain an existing image and store it into
   Munin's cache:

   printf 'GET
/cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/vmstat-day.png?foo
HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | netcat localhost 80

   (this was for a different issue, where you could fill /tmp with such images that are cached -Marcus)

b) reproducer for excessive memory / storage usage (previous part
   is same as in case a) ):
   ..png?size_x=20000&size_y=20000&uniquestuff
Comment 1 Marcus Meissner 2012-04-30 13:27:01 UTC
In general the munin developers appear to recommend that access to this is limited
to administrators.


Can you enlighten us how it is limited, and how the ATK setup of munin is?
Comment 2 Swamp Workflow Management 2012-04-30 22:00:15 UTC
bugbot adjusting priority
Comment 3 Jordi Massaguer 2012-05-02 09:17:30 UTC
There is a patch at the end of the debian bug report that checks for image size:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670811#14
Comment 8 Marcus Meissner 2012-05-03 11:41:27 UTC
cc wolfgang, maintainer of munin in server:monitoring
Comment 9 Wolfgang Rosenauer 2012-05-03 16:26:34 UTC
tentatively fixed in server:monitoring fwiw, I need to verify once OBS builds packages again
Comment 11 Marcus Meissner 2012-05-07 09:28:52 UTC
As this is not default accessible in Studio, and the admin has to enable it first,
I am putting this on the planned update list only.

We can merge this bug into a future munin update, if one happens.