Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 445250 (CVE-2012-3512) - <net-analyzer/munin-2.0.8-r2: Multiple vulnerabilities (CVE-2012-{3512,3513})
Summary: <net-analyzer/munin-2.0.8-r2: Multiple vulnerabilities (CVE-2012-{3512,3513})
Alias: CVE-2012-3512
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Reported: 2012-11-29 20:39 UTC by GLSAMaker/CVETool Bot
Modified: 2014-05-18 11:56 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-11-29 20:39:45 UTC
CVE-2012-3513 (
  munin-cgi-graph in Munin before 2.0.6, when running as a CGI module under
  Apache, allows remote attackers to load new configurations and create files
  in arbitrary directories via the logdir command.

CVE-2012-3512 (
  Munin before 2.0.6 stores plugin state files that run as root in the same
  group-writable directory as non-root plugins, which allows local users to
  execute arbitrary code by replacing a state file, as demonstrated using the
  smart_ plugin.

Maintainers, may we stabilize =net-analyzer/munin-2.0.8-r2 ?
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-11-29 22:06:04 UTC
Go for it.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-29 23:03:25 UTC
(In reply to comment #1)
> Go for it.

Awesome, thanks.

Arches, please test and mark stable:
Target KEYWORDS : "amd64 ppc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2012-12-02 12:16:33 UTC
amd64 stable
Comment 4 Andreas Schürch gentoo-dev 2012-12-04 15:36:48 UTC
net-analyzer/munin-2.0.8-r2 nowadays needs dev-perl/Test-Deep as well as dev-perl/Test-MockObject (which itself needs dev-perl/UNIVERSAL-isa & dev-perl/UNIVERSAL-can) to pass the testsuite here on x86. These two direct test-deps are not mentioned in the munin-ebuild right now and these packages are only keyworded (although they all look good to go).
Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-12-04 16:10:04 UTC
Uhm I'm not sure why I didn't notice failure without those — I'll look into adding the deps in a moment then.
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-12-06 04:18:11 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2012-12-22 15:18:21 UTC
ppc stable
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-23 00:15:08 UTC
Thanks, everyone. 

GLSA request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-05-18 11:56:22 UTC
This issue was resolved and addressed in
 GLSA 201405-17 at
by GLSA coordinator Sean Amoss (ackle).