net-analyzer/munin is vulnerable to a local file write vulnerability when "cgi" USE flag is set(i.e. CGI graphs are enabled). Setting multiple "upper_limit" GET parameters allows overwriting any file accessible to user running munin/cgi graph. For example, requesting an URL like the following will create "/tmp/test": http://.../munin-cgi/munin-cgi-graph/.../.../...-day.png?upper_limit=1&upper_limit=--output-file&upper_limit=/tmp/test Proposed patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855705#5
*** Bug 625558 has been marked as a duplicate of this bug. ***
Requires specific configuration (but the configuration is mentioned in wiki; https://wiki.gentoo.org/wiki/Munin#Full_CGI )
munin 2.0.33 is now in the tree. I propose to wait a few days for potential issues to shake out before going stable, since we are behind quite a bit (stable at 2.0.19 and last version in the tree was 2.0.25).
munin 2.0.33 works fine in my test setup and no issues reported so far: let's stable the new version.
Stable on amd64.
x86 stable
ppc stable
Vulnerable version has been removed.
(In reply to Hans de Graaff from comment #8) > Vulnerable version has been removed. Thank you all. New GLSA Request Filed. Gentoo Security Padawan ChrisADR
This issue was resolved and addressed in GLSA 201710-05 at https://security.gentoo.org/glsa/201710-05 by GLSA coordinator Aaron Bauman (b-man).