Bug#855705: marked as done (munin: CVE-2017-6188: munin-cgi-graph local file write vulnerability)

Debian Bug Tracking System Sat, 25 Feb 2017 15:09:44 -0800

Your message dated Sat, 25 Feb 2017 23:04:51 +0000
with message-id <[email protected]>
and subject line Bug#855705: fixed in munin 2.0.25-1+deb8u1
has caused the Debian Bug report #855705,
regarding munin: CVE-2017-6188: munin-cgi-graph local file write vulnerability
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
855705: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855705
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: munin
Version: 2.0.25-1
Severity: grave
Tags: security patch
Justification: user security hole

Dear Maintainers,

Munin package in Jessie has a local file write vulnerability when CGI graphs are
enabled. Setting multiple "upper_limit" GET parameters allows overwriting any
file accessible to the www-data user.

This was originally reported on GitHub by sstj here:

https://github.com/munin-monitoring/munin/issues/721

For example, requesting an URL like the following will create "/tmp/test":

http://.../munin-cgi/munin-cgi-graph/.../.../...-day.png?upper_limit=1&upper_limit=--output-file&upper_limit=/tmp/test

Attached is a simple patch that fixes the problem.

Best regards
Tomaž

Index: munin-2.0.25/master/_bin/munin-cgi-graph.in
===================================================================
--- munin-2.0.25.orig/master/_bin/munin-cgi-graph.in
+++ munin-2.0.25/master/_bin/munin-cgi-graph.in
@@ -447,13 +447,13 @@ sub draw_graph {
 		   '--output-file', $filename );
 
     # Sets the correct size on a by_graph basis
-    push @params, "--size_x", CGI::param("size_x")
+    push @params, "--size_x", scalar CGI::param("size_x")
       if (defined(CGI::param("size_x")));
-    push @params, "--size_y", CGI::param("size_y")
+    push @params, "--size_y", scalar CGI::param("size_y")
       if (defined(CGI::param("size_y")));
-    push @params, "--upper_limit", CGI::param("upper_limit")
+    push @params, "--upper_limit", scalar CGI::param("upper_limit")
       if (CGI::param("upper_limit"));
-    push @params, "--lower_limit", CGI::param("lower_limit")
+    push @params, "--lower_limit", scalar CGI::param("lower_limit")
       if (CGI::param("lower_limit"));
 
     # Sometimes we want to set the IMG size, and not the canvas.

--- End Message ---

--- Begin Message ---

Source: munin
Source-Version: 2.0.25-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
munin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated munin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 25 Feb 2017 17:20:04 +0100
Source: munin
Binary: munin-node munin-plugins-core munin-plugins-extra munin-plugins-java 
munin munin-common munin-async munin-doc
Architecture: all source
Version: 2.0.25-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Munin Debian Maintainers <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 855705
Description: 
 munin      - network-wide graphing framework (grapher/gatherer)
 munin-async - network-wide graphing framework (async master/client)
 munin-common - network-wide graphing framework (common)
 munin-doc  - network-wide graphing framework (documentation)
 munin-node - network-wide graphing framework (node)
 munin-plugins-core - network-wide graphing framework (plugins for node)
 munin-plugins-extra - network-wide graphing framework (user contributed 
plugins for nod
 munin-plugins-java - network-wide graphing framework (java plugins for node)
Changes:
 munin (2.0.25-1+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix wrong parameter expansion in CGI (CVE-2017-6188)
     Fixes local file write vulnerability when CGI graphs are enabled.
     Setting multiple upper_limit GET parameters allows overwriting any file
     accessible to the user running the CGI script.
     Thanks to Tomaž Šolc <[email protected]> (Closes: #855705)
Checksums-Sha1: 
 105a52cf8a050e103254ad668e2eb1c72eaf6e89 2667 munin_2.0.25-1+deb8u1.dsc
 0f912632fd756fcb619b1910d9d720fc845da085 1337586 munin_2.0.25.orig.tar.gz
 5948562f73e368f1a5f7a9bef702f5783de710f9 61840 
munin_2.0.25-1+deb8u1.debian.tar.xz
 70952ecda2c17f61af11acf5993a35984ca69e6e 131592 
munin-node_2.0.25-1+deb8u1_all.deb
 8e41f94eeecda49effac26cae43369af9754d326 242304 
munin-plugins-core_2.0.25-1+deb8u1_all.deb
 6b0e66b117bac9059501bab2cc53f5ec776f40e3 146536 
munin-plugins-extra_2.0.25-1+deb8u1_all.deb
 5147da300be619b2d08d40782b56a2490174ce09 155664 
munin-plugins-java_2.0.25-1+deb8u1_all.deb
 fc0df1af44743212329b6a6a25df0bb5ea580314 191238 munin_2.0.25-1+deb8u1_all.deb
 75c195f154bbcbb478ff083841ff40284b488171 103026 
munin-common_2.0.25-1+deb8u1_all.deb
 add4c9bb4a7900d73a2b3b0ccef7ae43e60a7263 96070 
munin-async_2.0.25-1+deb8u1_all.deb
 5d7aa9250de73e8bed033c64308c9530a45c3faa 223390 
munin-doc_2.0.25-1+deb8u1_all.deb
Checksums-Sha256: 
 3fb1ffc91a2766a33a9bb41f376199eb88a09e181b20fbf608759b34eb7023a8 2667 
munin_2.0.25-1+deb8u1.dsc
 6832bc5839d03639e4309178d9370697fc8a80a83d9b6653953f40161e949694 1337586 
munin_2.0.25.orig.tar.gz
 fe2f2328dae34f2fb1d5b5c718e204decb9b86895d56c391ae7682d9b6ab4300 61840 
munin_2.0.25-1+deb8u1.debian.tar.xz
 252ab2c42ec405b91c4cc154245246d34ccd41fa159871f5495f5b2ca587d56f 131592 
munin-node_2.0.25-1+deb8u1_all.deb
 c1b5dd7d8f35f85f1deab84cab9cc56301c47bd68cc53912472d47bb4e2a1353 242304 
munin-plugins-core_2.0.25-1+deb8u1_all.deb
 8e2cd5cbd397f462ecad8a551ea1c87174783e11dd27d431a345a647435f1399 146536 
munin-plugins-extra_2.0.25-1+deb8u1_all.deb
 13c6fe81f97c67d82e936fe56f4ff4f04a924e62d07fa3a08bf47321737ee5ca 155664 
munin-plugins-java_2.0.25-1+deb8u1_all.deb
 a067644c9db29f00eb2bb78df867f9085ffe8c0e4bf4a00cdce89b3b6a70d202 191238 
munin_2.0.25-1+deb8u1_all.deb
 dd7ef41b5c35ce16865265fac1e456555a1c40bb63170fe9c550394142ad8319 103026 
munin-common_2.0.25-1+deb8u1_all.deb
 e0faa7ae7c435e5b46b3a82b83712bdc4bdebd84f1fdd35b168b755777da7271 96070 
munin-async_2.0.25-1+deb8u1_all.deb
 87e2f61ce53c96f8eadc7a5f66f502b82f0c6922847225c558f79305b396d681 223390 
munin-doc_2.0.25-1+deb8u1_all.deb
Files: 
 bed99044610d0b847c6b4f6c1bdf8dc0 2667 net optional munin_2.0.25-1+deb8u1.dsc
 b418a667ce42665557329a7ac3bd1b93 1337586 net optional munin_2.0.25.orig.tar.gz
 ea51f4ffc25bc26a9dc54c47769ecadd 61840 net optional 
munin_2.0.25-1+deb8u1.debian.tar.xz
 8d0c9ca5b893e1846e7990c327987737 131592 net optional 
munin-node_2.0.25-1+deb8u1_all.deb
 60b9d3627490dfb772ba2709fd14ebd5 242304 net optional 
munin-plugins-core_2.0.25-1+deb8u1_all.deb
 21d39378468e0264f059e0fc0ed49b8a 146536 net optional 
munin-plugins-extra_2.0.25-1+deb8u1_all.deb
 9906b8a9bd6b789dd0bef8e2ca93d7d1 155664 net optional 
munin-plugins-java_2.0.25-1+deb8u1_all.deb
 6f9312b73c1b2b0799f5e16d33bb356f 191238 net optional 
munin_2.0.25-1+deb8u1_all.deb
 95135c49b68549a4eec778e963decd38 103026 net optional 
munin-common_2.0.25-1+deb8u1_all.deb
 f24404160265bb4b1fd8ca3b85675698 96070 net optional 
munin-async_2.0.25-1+deb8u1_all.deb
 09175e71cdf0e89c1fa50948af25ff77 223390 doc optional 
munin-doc_2.0.25-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlixsh9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Edm8QAIu/xvf3z/P07/74ngEG8D5kyMwAHbEn
4ORpqnngTu9KSA3F2+52+wUhGC8t+To1r7Nprnwk7XwD/swvUSs3MMJHOOMk+DcO
G1M/Glv1PF026IikbTfnFybxcbBukSXRxkswzLvNFcbclxj6uJZSPFKGpNQQcyc4
N1skngyCs0+aIuEmIvhiBHpaKO4VoAaGUIhK3TRbiDWL1/ElyHvyidrgvCoj9Rmc
yjaSU+CQfPH2yzkQk4Udv4AP4MLXE+q/H7h/kFG5OQghXIEbVmibdRt/KXKK+Y+w
XzimiWVPH3gP6ksHW+VBKSBYQu2vRwoYFUteRtIP0HKR2RsoKv5KKLlNh7x5ehKo
USg/AeZC+Wa/Fz3nede9/UudhYWiRlU9dwkPOM1pSmcPr33CaJBV6SvG5K4zMW8D
PqkJr4oMCDjGjwjWejA5wGHXVC0drOuyvbAZPKcR0PbdOvtPADLaF6o6lBbqJ1md
YdNAhIq93aA9G5NU+e7BQlAzu6FzlUuYy+NnMHmzuMKQgVQDqfaEAb59W2kcJZ7Q
ZKte6zGQAkcXqLt9tSsB72pBPvdB4wxoL/ZnAfqEx1oT44OkbFDFZyoB7Fs16TWM
8AZwSomiJUqLEF43SiQ5XWZyNmOvpXh/9hrE+9osLScG6I9QCIMlSKvGKgGMhT45
O4YHrcKDZDXc
=zO7C
-----END PGP SIGNATURE-----

--- End Message ---

Bug#855705: marked as done (munin: CVE-2017-6188: munin-cgi-graph local file write vulnerability)

Reply via email to