-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/27/2012 09:41 AM, Steve Schnepp wrote: > On Wed, Apr 18, 2012 at 07:04, Kurt Seifried <kseifr...@redhat.com> > wrote: >>> In addition munin parses parts of the query string. You are >>> allowed to modify the size of the image. By choosing a path >>> "....png?size_x=20000&size_y=20000&uniquestuff" you can do the >>> same attack while simultaneously using a large image size. The >>> raw image would be 381M (assuming 8bits/pixel) in this case. A >>> png version will likely be smaller, say 4M? So now you have an >>> amplification of 4M/request. Note that this query can get a >>> node into swapping, because rrdtool needs to create the whole >>> image in main memory.
Please use CVE-2012-2147 for this issue (specifying the size = lots of ram/storage space used up during image creation). > >> Ouch. > > I believe I fixed the bug in r4825, since : - url with query string > aren't stored permanently anymore. - /tmp isn't used anymore per > default (to fix #668536) > > Could you confirm that ? > > OTOH, the issue about very big imgs that gets the cgi into > swapping isn't the same bug to be. > > As Helmut noticed, there is already a size cap in rrd, so do I > still need implement one in munin ? If yes, would you mind to file > another bugreport (for RAM exhaustion) ? > > Thx ! > > r4825: http://munin-monitoring.org/changeset/4825 > > -- Steve Schnepp http://blog.pwkf.org/ - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPnOXzAAoJEBYNRVNeJnmTLncP/RHZ+19XnFy/mLRv+CqqwOSB MEwn6nDbgN8+MP4uhq0542cOy0611VYpB8ftPJxWBPRWhLPuyYTtaxe87esYmLp6 JTO/OPonytkmWrBtD7Ta7amxiJAJFERjoZVuByiY+aZAX9WsVYiCpzlAl7E8NL5u L11RuZU7vsnn7vSsRomlKcQ/eRMHouUKqwcVB8GAW0vh1V2l+bpAorBTZvI1/zPX QcDGYWX7w7GsmUXAe4P6TcpS9lXJDzHpYTf9YzSMLaPDDevhcoR+hwSdnia6Uz22 mpH2mf/d2vCY0o1FKWwR7ZDB7I8zdUmRSx96Umo/UikJknbHEc4zwfSYW2TefZIv G8cGMSYo35i/chJpf23iIcvKIvkQSs+1FCHep7OLuF6R1P0XnxXx2q78v3GjZC6C u6gSia1jT672xo1qEMArEOzj3h9/tNLt0YdIR+vTENYo/qhZf5DidbYZvIjlA24b Krbz/Fbcf8ayzctwuWvju4Kep602eM002FnYowXbN9rziz636yIWqJiQMaPMHYYo A7Y9qJFCUcophkaY0WAc6E1doM/+yKYduIsDbenXFoSqS6NFyjmlTfNA7rbxeWC3 HvDnM1tG5YLd2PpzfmvMZfyH95ora0ecAiqAbZyn/On4ddgh9jEdwn3E0wt6N3N3 h9sOLiYT90i3gZibguID =E8X5 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
