net-analyzer/munin is vulnerable to a local file write vulnerability when "cgi" USE flag is set(i.e. CGI graphs are enabled).
Setting multiple "upper_limit" GET parameters allows overwriting any
file accessible to user running munin/cgi graph.
For example, requesting an URL like the following will create "/tmp/test":
*** Bug 625558 has been marked as a duplicate of this bug. ***
Requires specific configuration (but the configuration is mentioned in wiki; https://wiki.gentoo.org/wiki/Munin#Full_CGI )
munin 2.0.33 is now in the tree. I propose to wait a few days for potential issues to shake out before going stable, since we are behind quite a bit (stable at 2.0.19 and last version in the tree was 2.0.25).
munin 2.0.33 works fine in my test setup and no issues reported so far: let's stable the new version.
Stable on amd64.
Vulnerable version has been removed.
(In reply to Hans de Graaff from comment #8)
> Vulnerable version has been removed.
Thank you all.
New GLSA Request Filed.
Gentoo Security Padawan
This issue was resolved and addressed in
GLSA 201710-05 at https://security.gentoo.org/glsa/201710-05
by GLSA coordinator Aaron Bauman (b-man).