Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 610602 (CVE-2017-6188)

Summary: <net-analyzer/munin-2.0.33: munin-cgi-graph: arbitrary file write
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: graaff, sysadmin
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/munin-monitoring/munin/issues/721
See Also: https://bugs.debian.org/855705
Whiteboard: C2 [glsa cve]
Package list:
net-analyzer/munin-2.0.33 dev-perl/CGI-Fast-2.100.0 ppc
 Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-22 20:21:12 UTC 
net-analyzer/munin is vulnerable to a local file write vulnerability when "cgi" USE flag is set(i.e. CGI graphs are enabled).

Setting multiple "upper_limit" GET parameters allows overwriting any
file accessible to user running munin/cgi graph.

For example, requesting an URL like the following will create "/tmp/test":

http://.../munin-cgi/munin-cgi-graph/.../.../...-day.png?upper_limit=1&upper_limit=--output-file&upper_limit=/tmp/test


Proposed patch:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855705#5
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-07-18 18:24:22 UTC 
*** Bug 625558 has been marked as a duplicate of this bug. ***
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-07-18 18:25:28 UTC 
Requires specific configuration (but the configuration is mentioned in wiki; https://wiki.gentoo.org/wiki/Munin#Full_CGI )
Comment 3 Hans de Graaff gentoo-dev Security 2017-07-18 18:34:53 UTC 
munin 2.0.33 is now in the tree. I propose to wait a few days for potential issues to shake out before going stable, since we are behind quite a bit (stable at 2.0.19 and last version in the tree was 2.0.25).
Comment 4 Hans de Graaff gentoo-dev Security 2017-07-22 06:59:08 UTC 
munin 2.0.33 works fine in my test setup and no issues reported so far: let's stable the new version.
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-31 09:01:53 UTC 
Stable on amd64.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-18 19:43:51 UTC 
x86 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-30 06:39:36 UTC 
ppc stable
Comment 8 Hans de Graaff gentoo-dev Security 2017-10-01 06:06:22 UTC 
Vulnerable version has been removed.
Comment 9 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-01 22:41:28 UTC 
(In reply to Hans de Graaff from comment #8)
> Vulnerable version has been removed.

Thank you all.

New GLSA Request Filed.

Gentoo Security Padawan
ChrisADR
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-10-08 13:43:42 UTC 
This issue was resolved and addressed in
 GLSA 201710-05 at https://security.gentoo.org/glsa/201710-05
by GLSA coordinator Aaron Bauman (b-man).