Summary: | <net-analyzer/munin-2.0.5-r1: Insecure Temporary File Creation Security Issue (CVE-2012-2103) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | mellos, sysadmin | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | https://secunia.com/advisories/48859/ | ||||||
Whiteboard: | B3 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 404433, 427504, 432312 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Agostino Sarubbo
2012-04-21 09:29:49 UTC
Created attachment 314227 [details, diff]
munin-1.4.7-qmail-tempfiles.patch
from upstream svn, might work...needs testing
Can security verify whether this affects 1.4.6 or not? If not I'd just get rid of 1.4.7 and that's it; if yes I'll have to choose between updating 1.4.7 or stabling 2.0.2 already. yes, 1.4.6 is vulnerable, the fix appears only in 2.0-rc6: * Remove the use of tempfiles. (D: Closes #668778) so you can: 1)patch 1.4.x if is your interest maintain in tree 1.x 2)stabilize 2.x So I'd be fine with stabling 2.0.5 at this point.. but ppc hasn't keyworded it yet. Sorry, this is not [stable blocked], the block is only for ppc. amd64 and x86 can do it in the meantime. Arches, please test and mark stable: =net-analyzer/munin-2.0.5-r1 Target KEYWORDS : "amd64 ppc x86" amd64: ok (builds with defflags, tests fine) CVE-2012-2103 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2103): The qmailscan plugin for Munin 1.4.5 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names. amd64 stable x86 stable *** Bug 434978 has been marked as a duplicate of this bug. *** Readding x86 (bug #434978). (In reply to comment #11) > Readding x86 (bug #434978). dev-perl/net-server-2.6.0 is now stable on x86. Sorry for the mess, note repoman bug #435242 ppc will continue in bug 445250 @security: I guess you need to vote or add this bug to the current glsa filed for bug 445250 GLSA vote: yes YES too, added to existing draft. This issue was resolved and addressed in GLSA 201405-17 at http://security.gentoo.org/glsa/glsa-201405-17.xml by GLSA coordinator Sean Amoss (ackle). |