Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 610602 (CVE-2017-6188) - <net-analyzer/munin-2.0.33: munin-cgi-graph: arbitrary file write
Summary: <net-analyzer/munin-2.0.33: munin-cgi-graph: arbitrary file write
Status: RESOLVED FIXED
Alias: CVE-2017-6188
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/munin-monitoring/m...
Whiteboard: C2 [glsa cve]
Keywords:
: 625558 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-02-22 20:21 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-10-08 13:43 UTC (History)
2 users (show)

See Also:
Package list:
net-analyzer/munin-2.0.33 dev-perl/CGI-Fast-2.100.0 ppc
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-22 20:21:12 UTC
net-analyzer/munin is vulnerable to a local file write vulnerability when "cgi" USE flag is set(i.e. CGI graphs are enabled).

Setting multiple "upper_limit" GET parameters allows overwriting any
file accessible to user running munin/cgi graph.

For example, requesting an URL like the following will create "/tmp/test":

http://.../munin-cgi/munin-cgi-graph/.../.../...-day.png?upper_limit=1&upper_limit=--output-file&upper_limit=/tmp/test


Proposed patch:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855705#5
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-07-18 18:24:22 UTC
*** Bug 625558 has been marked as a duplicate of this bug. ***
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-07-18 18:25:28 UTC
Requires specific configuration (but the configuration is mentioned in wiki; https://wiki.gentoo.org/wiki/Munin#Full_CGI )
Comment 3 Hans de Graaff gentoo-dev Security 2017-07-18 18:34:53 UTC
munin 2.0.33 is now in the tree. I propose to wait a few days for potential issues to shake out before going stable, since we are behind quite a bit (stable at 2.0.19 and last version in the tree was 2.0.25).
Comment 4 Hans de Graaff gentoo-dev Security 2017-07-22 06:59:08 UTC
munin 2.0.33 works fine in my test setup and no issues reported so far: let's stable the new version.
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-31 09:01:53 UTC
Stable on amd64.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-18 19:43:51 UTC
x86 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-30 06:39:36 UTC
ppc stable
Comment 8 Hans de Graaff gentoo-dev Security 2017-10-01 06:06:22 UTC
Vulnerable version has been removed.
Comment 9 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-01 22:41:28 UTC
(In reply to Hans de Graaff from comment #8)
> Vulnerable version has been removed.

Thank you all.

New GLSA Request Filed.

Gentoo Security Padawan
ChrisADR
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-10-08 13:43:42 UTC
This issue was resolved and addressed in
 GLSA 201710-05 at https://security.gentoo.org/glsa/201710-05
by GLSA coordinator Aaron Bauman (b-man).