Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 412881 (CVE-2012-2103) - <net-analyzer/munin-2.0.5-r1: Insecure Temporary File Creation Security Issue (CVE-2012-2103)
Summary: <net-analyzer/munin-2.0.5-r1: Insecure Temporary File Creation Security Issue...
Status: RESOLVED FIXED
Alias: CVE-2012-2103
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://secunia.com/advisories/48859/
Whiteboard: B3 [glsa]
Keywords:
: 434978 (view as bug list)
Depends on: 404433 427504 432312
Blocks:
  Show dependency tree
 
Reported: 2012-04-21 09:29 UTC by Agostino Sarubbo
Modified: 2014-05-18 11:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
munin-1.4.7-qmail-tempfiles.patch (munin-1.4.7-qmail-tempfiles.patch,2.64 KB, patch)
2012-06-04 21:23 UTC, Jeremy Olexa (darkside) (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-04-21 09:29:49 UTC
From secunia advisory at $URL:


Description
A security issue has been reported in Munin, which can be exploited by malicious, local users to manipulate certain data.

The security issue is caused due to the qmailscan plugin creating temporary files in an insecure manner, which can be exploited to e.g. overwrite arbitrary files via symlink attacks.

The security issue is reported in version 1.4.7. Other versions may also be affected.


Solution
Restrict access to trusted users only (unpatched).
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2012-06-04 21:23:07 UTC
Created attachment 314227 [details, diff]
munin-1.4.7-qmail-tempfiles.patch

from upstream svn, might work...needs testing
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-07-21 15:45:26 UTC
Can security verify whether this affects 1.4.6 or not? If not I'd just get rid of 1.4.7 and that's it; if yes I'll have to choose between updating 1.4.7 or stabling 2.0.2 already.
Comment 3 Agostino Sarubbo gentoo-dev 2012-07-21 16:03:46 UTC
yes, 1.4.6 is vulnerable, the fix appears only in 2.0-rc6:

* Remove the use of tempfiles. (D: Closes #668778)

so you can:
1)patch 1.4.x if is your interest maintain in tree 1.x
2)stabilize 2.x
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-08-18 00:24:59 UTC
So I'd be fine with stabling 2.0.5 at this point.. but ppc hasn't keyworded it yet.
Comment 5 Agostino Sarubbo gentoo-dev 2012-08-21 12:08:15 UTC
Sorry, this is not [stable blocked], the block is only for ppc.
amd64 and x86 can do it in the meantime.


Arches, please test and mark stable:
=net-analyzer/munin-2.0.5-r1
Target KEYWORDS : "amd64 ppc x86"
Comment 6 Tomáš "tpruzina" Pružina (amd64 [ex]AT) 2012-08-30 18:09:01 UTC
amd64: ok (builds with defflags, tests fine)
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2012-09-05 11:45:50 UTC
CVE-2012-2103 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2103):
  The qmailscan plugin for Munin 1.4.5 allows local users to overwrite
  arbitrary files via a symlink attack on temporary files with predictable
  names.
Comment 8 Agostino Sarubbo gentoo-dev 2012-09-07 08:44:41 UTC
amd64 stable
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-09-13 07:20:17 UTC
x86 stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2012-09-16 14:53:21 UTC
*** Bug 434978 has been marked as a duplicate of this bug. ***
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2012-09-16 14:54:06 UTC
Readding x86 (bug #434978).
Comment 12 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-09-17 09:04:40 UTC
(In reply to comment #11)
> Readding x86 (bug #434978).

dev-perl/net-server-2.6.0 is now stable on x86. Sorry for the mess, note repoman bug #435242
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-29 23:04:02 UTC
ppc will continue in bug 445250
Comment 14 Agostino Sarubbo gentoo-dev 2013-03-20 11:24:52 UTC
@security: I guess you need to vote or add this bug to the current glsa filed for bug 445250
Comment 15 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-20 23:40:57 UTC
GLSA vote: yes
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2013-04-01 14:35:14 UTC
YES too, added to existing draft.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-05-18 11:56:21 UTC
This issue was resolved and addressed in
 GLSA 201405-17 at http://security.gentoo.org/glsa/glsa-201405-17.xml
by GLSA coordinator Sean Amoss (ackle).