Your message dated Sat, 08 Sep 2012 16:16:41 +0100
with message-id <1347117401.8753.53.ca...@jacala.jungle.funky-badger.org>
and subject line Re: Bug#683998: closed by Holger Levsen
<hol...@layer-acht.org> (confirmed again for 2.0.6-1)
has caused the Debian Bug report #683998,
regarding munin: allows creation of sockets at arbitrary locations (/tmp file
vulnerability)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
683998: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683998
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: munin
Version: 1.4.5-3
Severity: serious
Tags: security
I wondered where a socket /tmp/munin-master-processmanager-12345.sock
would come from and whether it was created in a secure way. In the
presence of this bug report you may have guessed, that it is not. The
corresponding code can be found in
/usr/share/perl5/Munin/Master/ProcessManager.pm. Apparently rundir is
set to /tmp and the _prepare_unix_socket subroutine happily unlink(2)s
that path and creates a socket. So via a simple race condition (use
inotify!) we can place a symbolic link at the desired location and make
munin place a socket at an arbitrary location. It should also be
possible to turn this into a local denial of service by pointing to a
non-existent directory. Please evaluate the impact of this issue and
downgrade the severity accordingly. Fixing this issue should be easy
changing the default for rundir.
Helmut
--- End Message ---
--- Begin Message ---
Version: 2.0.1-1
On Sat, 2012-09-08 at 11:30 +0200, Helmut Grohne wrote:
> Control: reopen 683998
> Control: fixed 683998 2.0.1-1
>
> On Mon, Sep 03, 2012 at 02:15:06PM +0000, Debian Bug Tracking System wrote:
> > It has been closed by Holger Levsen <hol...@layer-acht.org>.
>
> I slightly disagree. I can see that this issue does not affect wheezy,
> but the bug remains open in squeeze. Please only close it with a stable
> security upload or with the end of the squeeze security support.
No, that's not how the BTS works. A versioned closing of the bug as
soon as it's fixed in /any/ version is perfectly acceptable, and
expected. The BTS is perfectly capable of knowing that a bug is fixed
in unstable but not in stable without having to artificially avoid using
-done.
Regards,
Adam
--- End Message ---
