munin-cgi-graph in Munin before 2.0.6, when running as a CGI module under
Apache, allows remote attackers to load new configurations and create files
in arbitrary directories via the logdir command.
Munin before 2.0.6 stores plugin state files that run as root in the same
group-writable directory as non-root plugins, which allows local users to
execute arbitrary code by replacing a state file, as demonstrated using the
Maintainers, may we stabilize =net-analyzer/munin-2.0.8-r2 ?
Go for it.
(In reply to comment #1)
> Go for it.
Arches, please test and mark stable:
Target KEYWORDS : "amd64 ppc x86"
net-analyzer/munin-2.0.8-r2 nowadays needs dev-perl/Test-Deep as well as dev-perl/Test-MockObject (which itself needs dev-perl/UNIVERSAL-isa & dev-perl/UNIVERSAL-can) to pass the testsuite here on x86. These two direct test-deps are not mentioned in the munin-ebuild right now and these packages are only keyworded (although they all look good to go).
Uhm I'm not sure why I didn't notice failure without those — I'll look into adding the deps in a moment then.
GLSA request filed.
This issue was resolved and addressed in
GLSA 201405-17 at http://security.gentoo.org/glsa/glsa-201405-17.xml
by GLSA coordinator Sean Amoss (ackle).