From secunia advisory at $URL:
A security issue has been reported in Munin, which can be exploited by malicious, local users to manipulate certain data.
The security issue is caused due to the qmailscan plugin creating temporary files in an insecure manner, which can be exploited to e.g. overwrite arbitrary files via symlink attacks.
The security issue is reported in version 1.4.7. Other versions may also be affected.
Restrict access to trusted users only (unpatched).
Created attachment 314227 [details, diff]
from upstream svn, might work...needs testing
Can security verify whether this affects 1.4.6 or not? If not I'd just get rid of 1.4.7 and that's it; if yes I'll have to choose between updating 1.4.7 or stabling 2.0.2 already.
yes, 1.4.6 is vulnerable, the fix appears only in 2.0-rc6:
* Remove the use of tempfiles. (D: Closes #668778)
so you can:
1)patch 1.4.x if is your interest maintain in tree 1.x
So I'd be fine with stabling 2.0.5 at this point.. but ppc hasn't keyworded it yet.
Sorry, this is not [stable blocked], the block is only for ppc.
amd64 and x86 can do it in the meantime.
Arches, please test and mark stable:
Target KEYWORDS : "amd64 ppc x86"
amd64: ok (builds with defflags, tests fine)
The qmailscan plugin for Munin 1.4.5 allows local users to overwrite
arbitrary files via a symlink attack on temporary files with predictable
*** Bug 434978 has been marked as a duplicate of this bug. ***
Readding x86 (bug #434978).
(In reply to comment #11)
> Readding x86 (bug #434978).
dev-perl/net-server-2.6.0 is now stable on x86. Sorry for the mess, note repoman bug #435242
ppc will continue in bug 445250
@security: I guess you need to vote or add this bug to the current glsa filed for bug 445250
GLSA vote: yes
YES too, added to existing draft.
This issue was resolved and addressed in
GLSA 201405-17 at http://security.gentoo.org/glsa/glsa-201405-17.xml
by GLSA coordinator Sean Amoss (ackle).