Bug 6874 - ganglia new arbitrary script execution vulnerability
: ganglia new arbitrary script execution vulnerability
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/508292/
: MGA1TOO feedback mga2-32-OK? mga2-64-...
: validated_update
:
: 6520
  Show dependency treegraph
 
Reported: 2012-07-26 23:03 CEST by David Walser
Modified: 2013-01-22 22:48 CET (History)
5 users (show)

See Also:
Source RPM: ganglia-3.1.7-7.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-07-26 23:03:29 CEST
Fedora has issued an advisory on July 17:
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/084202.html

Patch is available from Fedora.

Note we also have critical Bug 6520 filed against this package.
Comment 1 Guillaume Rousse 2012-08-20 21:21:41 CEST
I just submitted 3.1.7-7.1.mga2 in update_testing, fixing both #6520 and #6874 at once.
Comment 2 David Walser 2012-08-20 21:29:11 CEST
Thanks Guillaume.  Mageia 1's package needs an update as well.  I'll push this to QA once that's ready.
Comment 3 David Walser 2012-08-20 21:32:09 CEST
Was this fixed upstream in 3.4.0, which you recently submitted to Cauldron?
Comment 4 David Walser 2012-08-20 21:33:49 CEST
Saving package list for later...

ganglia-core-3.1.7-7.1.mga2
ganglia-gmetad-3.1.7-7.1.mga2
libganglia1-devel-3.1.7-7.1.mga2
libganglia1-3.1.7-7.1.mga2
ganglia-script-3.1.7-7.1.mga2
ganglia-webfrontend-3.1.7-7.1.mga2

from ganglia-3.1.7-7.1.mga2.src.rpm
Comment 5 David Walser 2012-09-05 18:22:36 CEST
Patched package uploaded for Mageia 1 and Mageia 2, fixing this and Bug 6520.

Advisory:
========================

Updated ganglia packages fix security vulnerability:

There is a security issue in Ganglia Web going back to at least 3.1.7 which
can lead to arbitrary script being executed with web user privileges possibly
leading to a machine compromise.

Additionally, an issue where active NFS mounts caused gmond to not start has
also been corrected.

References:
http://ganglia.info/?p=549
https://bugs.launchpad.net/ubuntu/+source/ganglia/+bug/910678
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/084202.html
========================

Updated packages in core/updates_testing:
========================
ganglia-core-3.1.7-5.1.mga1
ganglia-gmetad-3.1.7-5.1.mga1
libganglia1-devel-3.1.7-5.1.mga1
libganglia1-3.1.7-5.1.mga1
ganglia-script-3.1.7-5.1.mga1
ganglia-webfrontend-3.1.7-5.1.mga1
ganglia-core-3.1.7-7.1.mga2
ganglia-gmetad-3.1.7-7.1.mga2
libganglia1-devel-3.1.7-7.1.mga2
libganglia1-3.1.7-7.1.mga2
ganglia-script-3.1.7-7.1.mga2
ganglia-webfrontend-3.1.7-7.1.mga2

from SRPMS:
ganglia-3.1.7-5.1.mga1.src.rpm
ganglia-3.1.7-7.1.mga2.src.rpm
Comment 6 claire robinson 2012-09-10 10:54:49 CEST
Possibly useful link for testing..

http://acidborg.wordpress.com/2010/10/08/how-to-install-and-configure-ganglia-on-red-hat-enterprise-linux-5/
Comment 7 claire robinson 2012-09-11 18:00:22 CEST
Testing Mga1 32

Before
------

An error when installing. I think this is is probably a typo for chown nobody:nobody but we don't have a group called nobody. nogroup maybe.

    6/32: ganglia-gmetad        ###########################################warning: group nobody does not exist - using root
#
gmetad is launched as nobody users now, changing /var/lib/ganglia/rrds permissions to nobody.nobody
chown: invalid user: `nobody.nobody'
warning: %post(ganglia-gmetad-3.1.7-5.mga1.i586) scriptlet failed, exit status 1

# ll -d /var/lib/ganglia/rrds
drwxrwxrwx 2 nobody root 4096 Apr  5  2011 /var/lib/ganglia/rrds/

# service httpd start
# service gmond start
# service gmetad start

# service ganglia-script start
Starting GANGLIA monitor scripts: parametre
Can't open: No such file or directory at /usr/bin/ganglia-script line 31.
                                                               [  OK  ]

Able to browse to http://localhost/ganglia and view the local node data and graphs of usage statistics.


After
-----
The error still occurs with ganglia-gmetad

3/5: ganglia-gmetad        ###########################################warning: group nobody does not exist - using root
#
gmetad is launched as nobody users now, changing /var/lib/ganglia/rrds permissions to nobody.nobody
chown: invalid user: `nobody.nobody'
warning: %post(ganglia-gmetad-3.1.7-5.1.mga1.i586) scriptlet failed, exit status 1

# service ganglia-script start
Starting GANGLIA monitor scripts: parametre
Can't open: No such file or directory at /usr/bin/ganglia-script line 31.
                                                               [  OK  ]

This error probably stems from:
$ ls /usr/share/ganglia-monitor-script/script
ls: cannot access /usr/share/ganglia-monitor-script/script: No such file or directory

# mkdir -p /usr/share/ganglia-monitor-script/script
# service ganglia-script start
Starting GANGLIA monitor scripts: parametre
                                                               [  OK  ]

Apart from these issues it seems OK with just one host. I'll install on mga2 x86_64 also and try to configure a cluster.
Comment 8 claire robinson 2012-09-11 18:47:20 CEST
Testing mga2 x86_64

There seem to be a number of issues with ganglia in both mga1 and mga2. Not yet tested gmond with an active nfs share as the computer is struggling a bit and you will probably want to address these anyway.


Before
------
Same issue on install mga2

4/7: ganglia-gmetad        ########################################################
warning: group nobody does not exist - using root
#
gmetad.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig gmetad on
gmetad is launched as nobody users now, changing /var/lib/ganglia/rrds permissions to nobody.nobody
chown: invalid user: `nobody.nobody'
warning: %post(ganglia-gmetad-3.1.7-7.mga2.x86_64) scriptlet failed, exit status 1

Some errors starting gmond

#systemctl status gmond.service

/usr/sbin/gmond[14492]: [PYTHON] Can't open the python module path /usr/lib64/ganglia/python_modules.
/usr/sbin/gmond[14492]: Module python_module failed to initialize.
gmond[14459]: Starting GANGLIA gmond: [  OK  ]


Also similar errors to mga1 starting ganglia-script.service

# systemctl status ganglia-script.service
ganglia-script[14604]: Starting GANGLIA monitor scripts: parametre
ganglia-script[14604]: Can't open: No such file or directory at /usr/bin/ganglia-script line 31.
ganglia-script[14604]: [  OK  ]


Browsing to http://localhost/ganglia I can see both nodes, this one and the mga1 i586.

Choosing the remote node from the drop down menu displays some graphs but at the top, above them, it has two links beside each other. I think they should be graphs for Load last hour and Memory last hour on the remote host which have failed to display.

'Cluster LOAD Cluster MEM'

Clicking Cluster LOAD gives this error:
The image “http://localhost/ganglia/graph.php?g=load_report&z=large&c=Cluster&h=mgaone32&m=load_one&r=hour&s=descending&hc=4&mc=2&st=1347380741” cannot be displayed, because it contains errors.

Clicking Cluster MEM gives this error:
The image “http://localhost/ganglia/graph.php?g=mem_report&z=large&c=Cluster&h=mgaone32&m=load_one&r=hour&s=descending&hc=4&mc=2&st=1347380741” cannot be displayed, because it contains errors.

Viewing from the other host on mga1 i586 instead does show these two graphs.



After
-----

Still the error with ganglia-gmetad

3/5: ganglia-gmetad        ########################################################################################################warning: group nobody does not exist - using root
#
gmetad is launched as nobody users now, changing /var/lib/ganglia/rrds permissions to nobody.nobody
chown: invalid user: `nobody.nobody'
warning: %post(ganglia-gmetad-3.1.7-7.1.mga2.x86_64) scriptlet failed, exit status 1

Also the error with ganglia-script:
ganglia-script[15636]: Starting GANGLIA monitor scripts: parametre
ganglia-script[15636]: Can't open: No such file or directory at /usr/bin/ganglia-script line 31.
ganglia-script[15636]: [  OK  ]

And the error with gmond:
/usr/sbin/gmond[15819]: [PYTHON] Can't open the python module path /usr/lib64/ganglia/python_modules.
/usr/sbin/gmond[15819]: Module python_module failed to initialize.
gmond[15786]: Starting GANGLIA gmond: [  OK  ]

Also the two graphs which gave errors still give errors.
Comment 9 claire robinson 2012-09-17 10:10:14 CEST
Ping for packager response, we're lagging with this one.
Comment 10 claire robinson 2012-09-26 16:36:53 CEST
Created some separate bugs for the issues with ganglia.

As there is no packager response and they are not regressions we will have to validate this update in it's current state.

bug 7586 created for ganglia-gmetad - %post script
bug 7587 created for ganglia-script - No such file or directory
bug 7588 created for the missing graphs in mga2
bug 7589 created for gmond service - Module python_module failed to initialize
Comment 11 claire robinson 2012-09-27 18:51:11 CEST
Testing complete mga2 32

All the same problems as before plus another one.
Browsing to http://localhost/ganglia gives..

Cannot find any metrics for selected cluster "Cluster", exiting.
Check ganglia XML tree (telnet 127.0.0.1 8652)

It can be seen as a node from another computer though.

bug 7601 created for this issue.
Comment 12 claire robinson 2012-09-27 18:56:00 CEST
Testing complete mga1 64

Validating (reluctantly)

SRPMs and advisory in comment 5

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 13 Thomas Backlund 2012-09-30 21:15:02 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0277
Comment 14 David Walser 2013-01-22 22:48:54 CET
Debian has issued an advisory for this on January 21:
http://www.debian.org/security/2013/dsa-2610

This issue was assigned CVE-2012-3448, so if anyone's looking for that, we have already fixed it.

Note You need to log in before you can comment on or make changes to this bug.