[Pkg-monitoring-maintainers] ganglia update for Squeeze (CVE-2012-3448)

Salvatore Bonaccorso carnil at debian.org
Sun Jan 20 12:07:34 UTC 2013 

Hi

On Sun, Jan 20, 2013 at 10:14:26AM +0100, Yves-Alexis Perez wrote:
[...]
> > If we need to be that pedantic about it to put something into squeeze
> > (which may well be a good idea), then maybe we need to make the change
> > without building and releasing any of the actual binaries, just
> > release
> > the ganglia-web.deb package (which contains no binary code, just PHP).
> > Is there a workflow to do that?
> 
> No. We want minimal changes against the version in Squeeze, remember?
> 
> In any case, provided it actually fixes the bug, I'm ok with Salvatore
> package including only the oneliner patch.

So I have verified the following things:

 - The debdiff contains only the mentioned change (debdiff attached).

 - The patch is applied to /usr/share/ganglia-webfrontend/graph.php in
   the produced binary package ganglia-webfrontend.

 - If I try to exploit the argument g= passed to graph.php on a
   squeeze with installed package it does not work anymore and in logs
   I correctly notice the Error output produced by the error_log. At
   least with the obvious exploit variant.

 - I also checked the debdiff against the produced binary packages:

----cut---------cut---------cut---------cut---------cut---------cut-----

ganglia-webfrontend:
--------------------

File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Version: [-3.1.7-1-] {+3.1.7-1+squeeze1+}

ganglia-monitor:
----------------

File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: libapr1 (>= 1.2.7), libc6 (>= 2.2.5), libconfuse0 (>= 2.5), libexpat1 (>= 1.95.8), libganglia1 (= [-3.1.7-1+b1),-] {+3.1.7-1+squeeze1),+} libpcre3 (>= 7.7), adduser
Installed-Size: [-168-] {+228+}
Source: ganglia [-(3.1.7-1)-]
Version: [-3.1.7-1+b1-] {+3.1.7-1+squeeze1+}

gmetad:
-------

File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: libapr1 (>= 1.2.7), libc6 (>= 2.3), libconfuse0 (>= 2.5), libexpat1 (>= 1.95.8), libganglia1 (= [-3.1.7-1+b1),-] {+3.1.7-1+squeeze1),+} libpcre3 (>= 7.7), librrd4 (>= 1.3.0), adduser
Installed-Size: [-92-] {+160+}
Source: ganglia [-(3.1.7-1)-]
Version: [-3.1.7-1+b1-] {+3.1.7-1+squeeze1+}

libganglia1:
------------

File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Installed-Size: [-836-] {+896+}
Source: ganglia [-(3.1.7-1)-]
Version: [-3.1.7-1+b1-] {+3.1.7-1+squeeze1+}

libganglia1-dev:
----------------

File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: libganglia1 (= [-3.1.7-1+b1)-] {+3.1.7-1+squeeze1)+}
Installed-Size: [-172-] {+208+}
Source: ganglia [-(3.1.7-1)-]
Version: [-3.1.7-1+b1-] {+3.1.7-1+squeeze1+}
----cut---------cut---------cut---------cut---------cut---------cut-----

 - Attached is also the buildlog. It shows some problems, but if then
   they are also right now already present in the version in Squeeze.

So I think we are on the safe side, but if you, Daniel, see an actual
problem with one of the produced binary packages please let us know.
I also could provide the binary packages somewhere if you want to test
them.

Regards,
Salvatore
-------------- next part --------------
diff -u ganglia-3.1.7/debian/changelog ganglia-3.1.7/debian/changelog
--- ganglia-3.1.7/debian/changelog
+++ ganglia-3.1.7/debian/changelog
@@ -1,3 +1,13 @@
+ganglia (3.1.7-1+squeeze1) stable-security; urgency=high
+
+  * Non-maintainer upload.
+  * Fix for path traversal issue when supplying name of a graph
+    web/graph.php: Check for path traversal issues by making sure real path
+    is actually in graphdir. Fixes CVE-2012-3448.
+    Fix backported from ganglia 3.1.8. (Closes: #683584)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 19 Jan 2013 10:04:17 +0100
+
 ganglia (3.1.7-1) unstable; urgency=low
 
   * New upstream version. Closes: #584276. 
only in patch2:
unchanged:
--- ganglia-3.1.7.orig/web/graph.php
+++ ganglia-3.1.7/web/graph.php
@@ -122,7 +122,7 @@
 
 $graph_file = "$graphdir/$graph.php";
 
-if ( is_readable($graph_file) ) {
+if ( is_readable($graph_file) and realpath($graphdir) === dirname(realpath($graph_file)) ) {
     include_once($graph_file);
 
     $graph_function = "graph_${graph}";
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ganglia_3.1.7-1+squeeze1_amd64.build.gz
Type: application/octet-stream
Size: 16845 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-monitoring-maintainers/attachments/20130120/338b4620/attachment-0001.obj>

More information about the Pkg-monitoring-maintainers mailing list