[dev.icinga.com #5276] getcgivars() fails to produce proper key/value list causing a potential buffer-overflow condition #1404
Comments
Updated by crfriend on 2013-12-07 15:09:33 +00:00 Note: The fix for this will have downstream impact in any CGI that makes use of the SEARCH_STRING environment variable. "High" priority was asserted as this represents a potential security problem. Work on this is underway. |
Updated by mfriedrich on 2013-12-07 16:50:50 +00:00
|
Updated by mfriedrich on 2013-12-07 16:53:06 +00:00
Marking this as private until a fix is available. |
Updated by crfriend on 2013-12-07 17:14:38 +00:00 dnsmichi wrote:
Understood. I anticipate a fix to be available this afternoon (Eastern US time). The change impacts virtually all the CGIs and I'm working through them one by one. Once that's done I'll push my branch and ask for testing. Initial testing on the "status.cgi" looks very promising, however. |
Updated by crfriend on 2013-12-07 20:50:05 +00:00
I pushed a commit to this issue a few minutes ago that looks like it answers the root cause of the related off-by-one error by forcing getcgivars() to produce a guaranteed list of pairs where it could produce a single-element list before. The behavior could be reproduced by passing in a Boolean with a value and the result would be nonsense (e.g. a query string of "csvoutput=jsonoutput" would produce JSON data instead of CSV in status.cgi). In the revised version, Boolean variables (i.e. those which are active by their mere presence) produce a NULL pointer for the value string instead of a pointer to an empty string (""). This seems to have fixed the above problem. In addition, both the keys and values are now checked for maximum length, and if that length is exceeded the various cgis now bail out with error status. I believe that behavior to be the safest when confronted with badly-formatted input and is related to buffer-overruns. Most of the files in the cgi hierarchy were affected by this change, and we affected in the process_cgivars() routine. Initial tests in my environment show good results, but this needs testing on a wider scale, and I'd also like a few other eyes on the changed code to ensure it's sane. |
Updated by crfriend on 2013-12-08 21:15:31 +00:00 Well, two follow-on commits had to be made to correct blunders on my part, but it finally looks reasonably sane at this end. Had I known the complete scope heading into this I might not have attempted it! (A quick count shows better than a thousand lines changed. Even though most of those were "mechanical" it's still a big commit.) Given the scope, I'd really like others to test things to make sure I didn't miss anything I haven't already caught! |
Updated by crfriend on 2013-12-16 00:04:19 +00:00 It looks like this one is CVE-2013-7108 per Ricardo's mail to the Icinga-team list. |
Updated by ricardo on 2013-12-19 19:22:01 +00:00
merged to next. non private as fix is available, was quick fixed with #5251 thanks to Carl for the fix. |
Updated by ricardo on 2013-12-21 22:50:47 +00:00
Applied in changeset icinga-core:b79fca3c3477696abdfc15f18f3d69b9d6dc3673. |
Updated by mfriedrich on 2014-12-08 09:21:45 +00:00
|
This issue has been migrated from Redmine: https://dev.icinga.com/issues/5276
Created by crfriend on 2013-12-07 14:38:59 +00:00
Assignee: crfriend
Status: Resolved (closed on 2013-12-21 22:50:47 +00:00)
Target Version: 1.11
Last Update: 2014-12-08 09:21:45 +00:00 (in Redmine)
This is related to issue #5251 and addresses the root-cause of that issue which resulted in Icinga getting a CVE attached to it for a potential buffer-overrun condition with maliciously-formed query-strings.
At issue is the getcgivars() routine which fails to produce a properly-formed key/value pointer structure in response to Boolean (i.e. "valueless") keys (the presence of the key is the "value). Instead, it produces an array of pointers that merely reflect keys and values in order; it should produce a valid char pointer and a NULL pointer for said Booleans.
Changesets
2013-12-07 20:29:04 +00:00 by crfriend 0cdc0b2
2013-12-07 21:31:44 +00:00 by crfriend 2e13fad
2013-12-08 13:08:23 +00:00 by crfriend 48b5a3a
2013-12-19 17:33:14 +00:00 by ricardo b79fca3
2013-12-19 19:04:09 +00:00 by ricardo f401370
2013-12-19 19:06:54 +00:00 by ricardo 9e9178e
2013-12-26 23:47:30 +00:00 by crfriend deb1c74
2014-01-03 22:42:46 +00:00 by ricardo 3549874
2014-01-03 22:47:31 +00:00 by ricardo aca76cf
Relations:
The text was updated successfully, but these errors were encountered: