Bugzilla – Bug 828003
VUL-1: CVE-2013-2131: rrdtool: format string issue
Last modified: 2020-06-29 06:23:04 UTC
is public, via rh bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=969296 CVE-2013-2131 Thomas Pollet (thomas.pollet@gmail.com) reports: Also, the rrdtool python module crashes on format string exploit $ python -c "import rrdtool rrdtool.graph('/tmp/out.png','-f','%n%n')" Segmentation fault upstream ticket: https://github.com/oetiker/rrdtool-1.x/issues/396
bugbot adjusting priority
Created attachment 615936 [details] imginfo format check patch Short summary: There is a following problem in rrdtool: $ rrdtool graph /tmp/out.png -f '%n%n' *** %n in writable segment detected *** Aborted (core dumped) There is a fix in upstream that adding check in order to prevent crash or exploit. This fix was merged to the trunk and released in RRDtool 1.4.9 - 2014-09-29. I prepared patch for rrdtool 1.4.7 which suits for openSUSE 12.3, 13.1, 13.2, Factory, SLE11 and SLE12. This patch was submitted to Factory (sr#264060) and to openSUSE 12.3, 13.1 and 13.2 as a maintenance update (mr#64061). Waiting for the call for SLE maintenance update.
This is an autogenerated message for OBS integration: This bug (828003) was mentioned in https://build.opensuse.org/request/show/264061 13.2+13.1+12.3 / rrdtool
As the patch is prepared, I'm closing this bug.
openSUSE-SU-2014:1646-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 828003 CVE References: CVE-2013-2131 Sources used: openSUSE 13.2 (src): rrdtool-1.4.7-20.4.1 openSUSE 13.1 (src): rrdtool-1.4.7-13.4.1 openSUSE 12.3 (src): rrdtool-1.4.7-8.4.1
SUSE-SU-2017:0103-1: An update that solves one vulnerability and has one errata is now available. Category: security (low) Bug References: 828003,967671 CVE References: CVE-2013-2131 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): rrdtool-1.4.7-20.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): rrdtool-1.4.7-20.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): rrdtool-1.4.7-20.1 SUSE Linux Enterprise Server 12-SP2 (src): rrdtool-1.4.7-20.1 SUSE Linux Enterprise Server 12-SP1 (src): rrdtool-1.4.7-20.1 SUSE Linux Enterprise Desktop 12-SP2 (src): rrdtool-1.4.7-20.1 SUSE Linux Enterprise Desktop 12-SP1 (src): rrdtool-1.4.7-20.1
This is an autogenerated message for OBS integration: This bug (828003) was mentioned in https://build.opensuse.org/request/show/576348 42.3 / rrdtool
openSUSE-SU-2018:0474-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1080251,828003 CVE References: CVE-2013-2131 Sources used: openSUSE Leap 42.3 (src): rrdtool-1.4.7-26.3.1