gmetad: stack based buffer overflow in interactive port

A stack-based buffer overflow was discovered in the gmetad server, part of the ganglia monitoring system. Quoting original report:

  In process_path() a char element[256] is allocated to contain the pieces
  of the path as it is processed. If a request is made with a path element
  longer than that the strncpy call will write to invalid memory location,
  since there is no length checking performed on the input data to make sure
  it is less than the size of element.

Full report:
http://<email address hidden>/msg04929.html

Upstream bug:
  http://bugzilla.ganglia.info/cgi-bin/bugzilla/show_bug.cgi?id=223

Upstream fix:
  http://ganglia.svn.sourceforge.net/viewvc/ganglia?view=rev&revision=1946
and status file note:
  http://ganglia.svn.sourceforge.net/viewvc/ganglia?view=rev&revision=1947

Unfortunately the fix introduces an off by one error so it still needs work.

This overflow occurs in the strncpy call (which uses input length as a bound, not a destination buffer size) and it is detected by the FORTIFY_SOURCE. Therefore, this can no be exploited for code execution, overflow is detected before data are written past the end of the buffer and program execution is terminated. This is DoS-only flaw on Fedora or Red Hat HPC Solution.

could a CVE be requested by redhat's CNA to easy up tracking for all affected parties?, AFAIK there is a securityfocus BID already assigned in :

  http://www.securityfocus.com/bid/33299

We do not assign ids for already public issues, to minimize the risk of duplicating Mitre's assignments. Request for id was done couple of days ago via a list that is monitored by Mitre for new issues:
  http://www.openwall.com/lists/oss-security/2009/01/15/3

(In reply to comment #1)
> Unfortunately the fix introduces an off by one error so it still needs work.

Current version of the patch, including your fix for off-by-one:
http://ganglia.svn.sourceforge.net/viewvc/ganglia/trunk/monitor-core/gmetad/server.c?r1=1233&r2=1950

The patch was updated again upstream, fixing another off-by-one in the request[] buffer:
http://ganglia.svn.sourceforge.net/viewvc/ganglia?view=rev&revision=1953

Whole patch:
http://ganglia.svn.sourceforge.net/viewvc/ganglia/trunk/monitor-core/gmetad/server.c?r1=1233&r2=1953

ganglia-3.1.1-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/ganglia-3.1.1-3.fc10

ganglia-3.0.7-4.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/ganglia-3.0.7-4.fc9

CVE-2009-0241:
Stack-based buffer overflow in the process_path function in
gmetad/server.c in Ganglia 3.1.1 allows remote attackers to cause a
denial of service (crash) via a request to the gmetad service with a
long pathname.

Created attachment 329974
simplified patch to address buffer overflow in interactive port

already being used by the updated ganglia packages for Gentoo and Debian and proposed upstream in :

  http://bugzilla.ganglia.info/cgi-bin/bugzilla/attachment.cgi?id=189&action=view

including hunks from the committed fixes in trunk and that are relevant for this reported problem.

applies cleanly for 3.0.6, 3.0.7 (-30 lines offset) as well as 3.1.1

This has been corrected in upstream 3.1.2 (which is in current Fedora 11+), and this was also corrected in EPEL4 and 5 via:

* Tue Jan 20 2009 Kostas Georgiou <email address hidden> - 3.0.7
- New upstream release
- [480236] fix for a buffer overflow and an off-by-one bug in gmetad