Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

xymon: CVE-2015-1430: buffer overrun in acknowledge.c

Related Vulnerabilities: CVE-2015-1430  

Source

Debian Bug report logs - #776007
xymon: CVE-2015-1430: buffer overrun in acknowledge.c

version graph

Package: src:xymon; Maintainer for src:xymon is Christoph Berg <myon@debian.org>;

Reported by: Christoph Berg <christoph.berg@credativ.de>

Date: Thu, 22 Jan 2015 16:21:01 UTC

Severity: grave

Tags: patch, security

Found in version xymon/4.3.17-1

Fixed in version xymon/4.3.17-5

Done: Christoph Berg <christoph.berg@credativ.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Christoph Berg <myon@debian.org>:
Bug#776007; Package src:xymon. (Thu, 22 Jan 2015 16:21:05 GMT) (full text, mbox, link).

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Christoph Berg <christoph.berg@credativ.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: buffer overrun in acknowledge.c(gi)
Date: Thu, 22 Jan 2015 17:19:25 +0100
[Message part 1 (text/plain, inline)]
Source: xymon
Version: 4.3.17-1
Severity: grave
Tags: security patch pending

web/acknowledge.c uses a string twice in a format string, but only
allocates memory for one copy. The attached patch fixes this.

Christoph
-- 
cb@df7cb.de | http://www.df7cb.de/

[acknowledge-malloc (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Berg <myon@debian.org>:
Bug#776007; Package src:xymon. (Thu, 22 Jan 2015 17:03:04 GMT) (full text, mbox, link).

Message #6 received at 776007@bugs.debian.org (full text, mbox, reply):

From: Christoph Berg <christoph.berg@credativ.de>
To: Debian Bug Tracking System <776007@bugs.debian.org>
Subject: Re: Bug#776007: buffer overrun in acknowledge.c(gi)
Date: Thu, 22 Jan 2015 18:00:54 +0100
[Message part 1 (text/plain, inline)]
Re: To Debian Bug Tracking System 2015-01-22 <20150122161925.GA23793@msg.df7cb.de>
> Source: xymon
> Version: 4.3.17-1
> Severity: grave
> Tags: security patch pending
> 
> web/acknowledge.c uses a string twice in a format string, but only
> allocates memory for one copy. The attached patch fixes this.

Fwiw, the CGI is only accessible for authenticated admin users, so the
consequences of the issue aren't as bad as they could be.

Christoph
-- 
cb@df7cb.de | http://www.df7cb.de/

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Berg <myon@debian.org>:
Bug#776007; Package src:xymon. (Tue, 27 Jan 2015 11:06:05 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Christoph Berg <myon@debian.org>. (Tue, 27 Jan 2015 11:06:05 GMT) (full text, mbox, link).

Message #11 received at 776007@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Christoph Berg <christoph.berg@credativ.de>, Debian Bug Tracking System <776007@bugs.debian.org>
Subject: Re: Bug#776007: buffer overrun in acknowledge.c(gi)
Date: Tue, 27 Jan 2015 12:02:57 +0100
On Thu, Jan 22, 2015 at 06:00:54PM +0100, Christoph Berg wrote:
> Re: To Debian Bug Tracking System 2015-01-22 <20150122161925.GA23793@msg.df7cb.de>
> > Source: xymon
> > Version: 4.3.17-1
> > Severity: grave
> > Tags: security patch pending
> > 
> > web/acknowledge.c uses a string twice in a format string, but only
> > allocates memory for one copy. The attached patch fixes this.
> 
> Fwiw, the CGI is only accessible for authenticated admin users, so the
> consequences of the issue aren't as bad as they could be.

I think it's sufficient if we fix this in a point update, can you take
care of that?

Has this been forwarded upstream? Since it's public we cannot assign
a CVE from the Debian CNA pool any more, so this will need to go through
the oss-security mailing list.

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Berg <myon@debian.org>:
Bug#776007; Package src:xymon. (Tue, 27 Jan 2015 11:36:05 GMT) (full text, mbox, link).

Acknowledgement sent to Axel Beckert <abe@debian.org>:
Extra info received and forwarded to list. Copy sent to Christoph Berg <myon@debian.org>. (Tue, 27 Jan 2015 11:36:05 GMT) (full text, mbox, link).

Message #16 received at 776007@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>
To: Moritz Mühlenhoff <jmm@inutil.org>, 776007@bugs.debian.org
Cc: Christoph Berg <christoph.berg@credativ.de>
Subject: Re: Bug#776007: buffer overrun in acknowledge.c(gi)
Date: Tue, 27 Jan 2015 12:34:09 +0100
Hi Moritz,

Moritz Mühlenhoff wrote:
> I think it's sufficient if we fix this in a point update, can you take
> care of that?

Do you think of Jessie or Wheezy? As far as I can see, Wheezy is
not affected:
https://sources.debian.net/src/xymon/4.3.0%7Ebeta2.dfsg-9.1/web/bb-ack.c/#L248

> Has this been forwarded upstream?

Christoph told me on IRC that upstream is aware of it and has patched
it in SVN, too. I just digged around in upstream's SVN repository and
I think this is the upstream fix:
http://sourceforge.net/p/xymon/code/7483/

Actually upstream fixed it in his latest release (4.3.18, September
2014) according to SVN:
http://sourceforge.net/p/xymon/mailman/message/32876426/

But that version was never released, neither on SourceForge
(http://sourceforge.net/projects/xymon/files/Xymon/) nor on the web
page (https://www.xymon.com/) as both still list 4.3.17 as most recent
release -- which is also the reason why I only discovered now that
there actually is a new upstream release.

On the mailing list there is a thread asking about the status of
4.3.18 and someone found a tar ball at https://www.xymon.com/patches/.
At least the FreeBSD port maintainer doesn't seem to consider that one
"official" according to
http://lists.xymon.com/archive/2014-November/040653.html

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Berg <myon@debian.org>:
Bug#776007; Package src:xymon. (Tue, 27 Jan 2015 11:57:24 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Christoph Berg <myon@debian.org>. (Tue, 27 Jan 2015 11:57:24 GMT) (full text, mbox, link).

Message #21 received at 776007@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Axel Beckert <abe@debian.org>
Cc: Moritz Mühlenhoff <jmm@inutil.org>, 776007@bugs.debian.org, Christoph Berg <christoph.berg@credativ.de>
Subject: Re: Bug#776007: buffer overrun in acknowledge.c(gi)
Date: Tue, 27 Jan 2015 12:49:49 +0100
On Tue, Jan 27, 2015 at 12:34:09PM +0100, Axel Beckert wrote:
> Hi Moritz,
> 
> Moritz Mühlenhoff wrote:
> > I think it's sufficient if we fix this in a point update, can you take
> > care of that?
> 
> Do you think of Jessie or Wheezy? As far as I can see, Wheezy is
> not affected:
> https://sources.debian.net/src/xymon/4.3.0%7Ebeta2.dfsg-9.1/web/bb-ack.c/#L248

I hadn't checked the status in jessie yet, but I just did and you're
right: Wheezy/Squeeze is not affected.

For jessie we can follow the usual upload/unblock procedure.

> > Has this been forwarded upstream?
> 
> Christoph told me on IRC that upstream is aware of it and has patched
> it in SVN, too. I just digged around in upstream's SVN repository and
> I think this is the upstream fix:
> http://sourceforge.net/p/xymon/code/7483/
> 
> Actually upstream fixed it in his latest release (4.3.18, September
> 2014) according to SVN:
> http://sourceforge.net/p/xymon/mailman/message/32876426/
> 
> But that version was never released, neither on SourceForge
> (http://sourceforge.net/projects/xymon/files/Xymon/) nor on the web
> page (https://www.xymon.com/) as both still list 4.3.17 as most recent
> release -- which is also the reason why I only discovered now that
> there actually is a new upstream release.
> 
> On the mailing list there is a thread asking about the status of
> 4.3.18 and someone found a tar ball at https://www.xymon.com/patches/.
> At least the FreeBSD port maintainer doesn't seem to consider that one
> "official" according to
> http://lists.xymon.com/archive/2014-November/040653.html

Ok, I'll request a CVE on oss-security.

Cheers,
        Moritz

Reply sent to Christoph Berg <christoph.berg@credativ.de>:
You have taken responsibility. (Fri, 30 Jan 2015 09:51:22 GMT) (full text, mbox, link).

Notification sent to Christoph Berg <christoph.berg@credativ.de>:
Bug acknowledged by developer. (Fri, 30 Jan 2015 09:51:22 GMT) (full text, mbox, link).

Message #26 received at 776007-close@bugs.debian.org (full text, mbox, reply):

From: Christoph Berg <christoph.berg@credativ.de>
To: 776007-close@bugs.debian.org
Subject: Bug#776007: fixed in xymon 4.3.17-5
Date: Fri, 30 Jan 2015 09:49:03 +0000
Source: xymon
Source-Version: 4.3.17-5

We believe that the bug you reported is fixed in the latest version of
xymon, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 776007@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Berg <christoph.berg@credativ.de> (supplier of updated xymon package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 22 Jan 2015 17:37:26 +0100
Source: xymon
Binary: xymon xymon-client
Architecture: source amd64
Version: 4.3.17-5
Distribution: unstable
Urgency: medium
Maintainer: Christoph Berg <myon@debian.org>
Changed-By: Christoph Berg <christoph.berg@credativ.de>
Description:
 xymon      - monitoring system for systems, networks and applications
 xymon-client - client for the Xymon network monitor
Closes: 767840 767901 770168 771182 776007
Changes:
 xymon (4.3.17-5) unstable; urgency=medium
 .
   [ Christoph Berg ]
   * Restore the lost ROOTFS variable in xymonclient-linux.sh, and patch
     xymond/rrd/do_disk.c to ignore duplicate submissions for the / partition.
     (Closes: #767901)
   * Fix buffer overrun in web/acknowledge.c (Closes: #776007)
   * Debconf translations, thanks!
     + pt by Américo Monteiro (Closes: #767840)
     + fr by Jean-Pierre Giraud (Closes: #770168)
     + nl by Frans Spiesschaert (Closes: #771182)
 .
   [ Axel Beckert ]
   * Fix aborting installation in cases where a hobbit user exists despite
     hobbit-client was not installed before. (LP: #1407498)
Checksums-Sha1:
 629377f7aba1e31275b6d059bcef2a224d822216 2067 xymon_4.3.17-5.dsc
 be651615592f9a5373753d8323e8331c18162e10 93968 xymon_4.3.17-5.debian.tar.xz
 251925caf1d36b8aed77d83f8f386e67f0ef6dc5 2261638 xymon_4.3.17-5_amd64.deb
 65fbbf98a5de84a945614a41b49c1188335dc9e9 246944 xymon-client_4.3.17-5_amd64.deb
Checksums-Sha256:
 372098e94d0900926857cf925a219b883416d69ce0a05fa2ada2d3fe0ad223b8 2067 xymon_4.3.17-5.dsc
 832344b00d5e2556b1e98c9db8ece8983066b5a5f4cb918e5f3c606aee557528 93968 xymon_4.3.17-5.debian.tar.xz
 43990cfc99f38f790f8cf298a42f926e51231fb4d6f8a0d2a2fbe9bde2d00ddf 2261638 xymon_4.3.17-5_amd64.deb
 49b9b36c89a9f4fd87161a8dc4ef02a336cfd5cabe1b591a43029d9b87999bb7 246944 xymon-client_4.3.17-5_amd64.deb
Files:
 312d0cc53afdda0b3f6e9d778a007a59 2067 net extra xymon_4.3.17-5.dsc
 3cf624237bea5093f158f529825b520b 93968 net extra xymon_4.3.17-5.debian.tar.xz
 a77006904faf3c43dd1d58c1d2b89b2b 2261638 net extra xymon_4.3.17-5_amd64.deb
 d6910a87b04ec447df35fc821d479c77 246944 net extra xymon-client_4.3.17-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUwSfwAAoJEExaa6sS0qeuRLkP/1QmqNekpXWzh+nc8IHiCbZf
bZiO1jNRKSNTN72XQSR4c38w/FrllPqa9lnraZJf5MZAOwJVf/4CWVWAAORsvcrz
bYRJFM3gZ6Zg5KuedMI25XEMPtXOhiwI9og8DRwRCTNgM+QJuFjne9AgvQ+Omsws
dMLjU/c2R7E0uoOl5N5Oz0XxteHMDILf2LZl9Sku/BIRpxLkPnY4aTeIV0jAGid5
CrLDSqzMNUNfjf/owYM7FT1WZeugMhWY+TlsZVbrH8H67A3oL2JnLb8968kni+fi
ACmWVxbL3jUYdeKp2YoCpjjvb0j3RayvCgkOblUZ9mQY9O8MDqk85vTv+WL2GZn0
TKuJzMgcgLugo2MnYnAxfKXJGrOl7ILpEXu8bhGLYUvD3sRskSuVQeFmCkf7ykSt
OI4vJmpPsCRwa87+E9IdyUSpUB2Gq4uGTd7w4DJeGxWBdR6ScVUtOEq1XTXg7W2s
M9xhJkw8ibhR2FHLoJ+Xh4IQf6odYPxfkhqwYoZqSdfAOauiLJk73PbW/JAr3cmI
62mVHaufdKwByT45pxYsAmUsgjMaZuUKf+jPXYNXymhFZ9huuVWKxrSTFT/4O3HH
CtXwTha1q2BxIvdK2Tl3ZrnHrif7xVMkQ1MZoyoAO+qALP6siWv4yy+iHx4k4Qxs
OQkfJf3TMP6B90AMU2xl
=hkcx
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Berg <myon@debian.org>:
Bug#776007; Package src:xymon. (Fri, 30 Jan 2015 10:21:13 GMT) (full text, mbox, link).

Acknowledgement sent to Axel Beckert <abe@debian.org>:
Extra info received and forwarded to list. Copy sent to Christoph Berg <myon@debian.org>. (Fri, 30 Jan 2015 10:21:13 GMT) (full text, mbox, link).

Message #31 received at 776007@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>
To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: 776007@bugs.debian.org
Subject: Re: Bug#776007: buffer overrun in acknowledge.c(gi)
Date: Fri, 30 Jan 2015 11:17:49 +0100
Hi Moritz,

Moritz Mühlenhoff wrote:
> On Tue, Jan 27, 2015 at 12:34:09PM +0100, Axel Beckert wrote:
> > Moritz Mühlenhoff wrote:
> > > I think it's sufficient if we fix this in a point update, can you take
> > > care of that?
> > 
> > Do you think of Jessie or Wheezy? As far as I can see, Wheezy is
> > not affected:
> > https://sources.debian.net/src/xymon/4.3.0%7Ebeta2.dfsg-9.1/web/bb-ack.c/#L248
> 
> I hadn't checked the status in jessie yet, but I just did and you're
> right: Wheezy/Squeeze is not affected.

Could you please update
https://security-tracker.debian.org/tracker/source-package/xymon with
regards to that fact? TIA!

> For jessie we can follow the usual upload/unblock procedure.

Has gotten its unblock pre-approval and has been uploaded to Unstable
just now. Will be available on the mirrors with the next push.

> Ok, I'll request a CVE on oss-security.

I haven't seen such a request on
http://www.openwall.com/lists/oss-security/2015/01/ yet. (I know you
were busy with DSAs in the past few days, but I thought, I'd just sent
a gentle ping. I don't want to request one myself without OK from you
as a similar situation resulted in two CVE ids for the same issue the
last time I tried to request one myself. :-)

As soon we have a CVE-ID I will add it retroactively to the changelog
entry of the just uploaded package, so that it will show up as fixed
in that package release, starting with the next upload.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Berg <myon@debian.org>:
Bug#776007; Package src:xymon. (Fri, 30 Jan 2015 16:12:08 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Christoph Berg <myon@debian.org>. (Fri, 30 Jan 2015 16:12:08 GMT) (full text, mbox, link).

Message #36 received at 776007@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Axel Beckert <abe@debian.org>
Cc: Moritz Mühlenhoff <jmm@inutil.org>, 776007@bugs.debian.org
Subject: Re: Bug#776007: buffer overrun in acknowledge.c(gi)
Date: Fri, 30 Jan 2015 17:08:27 +0100
On Fri, Jan 30, 2015 at 11:17:49AM +0100, Axel Beckert wrote:
> Hi Moritz,
> 
> Moritz Mühlenhoff wrote:
> > On Tue, Jan 27, 2015 at 12:34:09PM +0100, Axel Beckert wrote:
> > > Moritz Mühlenhoff wrote:
> > > > I think it's sufficient if we fix this in a point update, can you take
> > > > care of that?
> > > 
> > > Do you think of Jessie or Wheezy? As far as I can see, Wheezy is
> > > not affected:
> > > https://sources.debian.net/src/xymon/4.3.0%7Ebeta2.dfsg-9.1/web/bb-ack.c/#L248
> > 
> > I hadn't checked the status in jessie yet, but I just did and you're
> > right: Wheezy/Squeeze is not affected.
> 
> Could you please update
> https://security-tracker.debian.org/tracker/source-package/xymon with
> regards to that fact? TIA!

Just updated.

> I haven't seen such a request on
> http://www.openwall.com/lists/oss-security/2015/01/ yet. (I know you
> were busy with DSAs in the past few days,

OpenJDK is a serious timesink :-)

> but I thought, I'd just sent
> a gentle ping. I don't want to request one myself without OK from you
> as a similar situation resulted in two CVE ids for the same issue the
> last time I tried to request one myself. :-)

I just requested it, you're in CC.

Cheers,
        Moritz

Changed Bug title to 'xymon: CVE-2015-1430: buffer overrun in acknowledge.c' from 'buffer overrun in acknowledge.c(gi)' Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Sat, 31 Jan 2015 14:09:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Berg <myon@debian.org>:
Bug#776007; Package src:xymon. (Tue, 03 Feb 2015 15:30:07 GMT) (full text, mbox, link).

Acknowledgement sent to Axel Beckert <abe@debian.org>:
Extra info received and forwarded to list. Copy sent to Christoph Berg <myon@debian.org>. (Tue, 03 Feb 2015 15:30:07 GMT) (full text, mbox, link).

Message #43 received at 776007@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>
To: 776007@bugs.debian.org
Cc: Moritz Mühlenhoff <jmm@inutil.org>
Subject: Re: Bug#776007: CVE-2015-1430: buffer overrun in acknowledge.c(gi)
Date: Tue, 3 Feb 2015 16:28:04 +0100
Hi,

Moritz Mühlenhoff wrote:
> On Tue, Jan 27, 2015 at 12:34:09PM +0100, Axel Beckert wrote:
> I hadn't checked the status in jessie yet, but I just did and you're
> right: Wheezy/Squeeze is not affected.

JFTR: This now has been confirmed on the upstream mailing list. The
bug has been introduced upstream with release 4.3.4. For details see
http://lists.xymon.com/archive/2015-February/040936.html and
http://sourceforge.net/p/xymon/code/6691/tree//trunk/web/acknowledge.c?diff=516c17fd34309d2eb14bcb64:6690

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 04 Mar 2015 07:25:25 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 12:57:50 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started